TACACS on 4431 Management Interface

Getting TACACs working via the Cisco 4431 Management interface threw up a few issues and took a few tweaks. The final issue I found was that referencing all servers with the tacacs+ keyword doesn’t work, you have to reference the TACACS group with the servers defined within it.

Below is a working configuration example for TACACs via the management port in the Mgmt-intf vrf. I’ve also included a non-exhaustive couple of examples to get a few other things working.

! Mgmt interface config
!
interface GigabitEthernet0
 description ** Mgmt intf **
 vrf forwarding Mgmt-intf
 ip address 192.168.0.1 255.255.255.0
 negotiation auto
!
!
! Default route for Management VRF
!
ip route vrf Mgmt-intf 0.0.0.0 0.0.0.0 192.168.0.254
!
!
! Define source interface at global level
!
ip tacacs source-interface GigabitEthernet0
!
! aaa config
!
aaa new-model
!
!
! Server-private restricts only within this VRF.
! VRF forwarding and source interface need to be configured
! within the aaa group context too.
!
aaa group server tacacs+ TACACS
 server-private 10.0.0.100 key MYKEY
 server-private 10.0.1.100 key MYKEY
 ip vrf forwarding Mgmt-intf
 ip tacacs source-interface GigabitEthernet0
!
! Fail to enable password if TACACS is not working in this config.
!
aaa authentication login REMOTE_ACCESS group TACACS enable
aaa authentication enable default group TACACS enable
aaa accounting exec REMOTE_ACCESS
 action-type stop-only
 group TACACS
!
aaa accounting commands 15 REMOTE_ACCESS
 action-type stop-only
 group TACACS
!
aaa session-id common
!
!
! Apply to vtys and console if you need to.
!
line vty 0 4
 accounting commands 15 REMOTE_ACCESS
 accounting exec REMOTE_ACCESS
 login authentication REMOTE_ACCESS
line vty 5 15
 accounting commands 15 REMOTE_ACCESS
 accounting exec REMOTE_ACCESS
 login authentication REMOTE_ACCESS

Syslog

logging source-interface GigabitEthernet0 vrf Mgmt-intf
logging host 10.0.0.101 vrf Mgmt-intf

TFTP (auto write after wr mem)

ip tftp source-interface GigabitEthernet0

archive
 path tftp://10.0.0.101/configs/$h-
 write-memory

SNMP Traps

snmp-server trap-source GigabitEthernet0
snmp-server host 10.0.0.101 vrf Mgmt-intf version 2c MYCOMMUNITY

Using the Cisco 3650 Managment Port

Configuring some new Cisco 3650s, I wanted to use the management ports rather than setting up management LAN SVIs and so on. This is particularly useful in a DMZ as we know the management port is in a completely different VRF.

Here’s a short summary of the steps taken to get around things not working at first as the traffic wasn’t being source from within the management VRF. IP addresses are only for the purposes of examples.

First off, configure the management interface and default route:

interface GigabitEthernet0/0
 description ** Network Managment Interface **
 vrf forwarding Mgmt-vrf
 ip address 192.168.0.1 255.255.255.0

ip route vrf Mgmt-vrf 0.0.0.0 0.0.0.0 192.168.0.254

Logging

logging source-interface GigabitEthernet0/0 vrf Mgmt-vrf
logging host 192.168.100.2

NTP

ntp server vrf Mgmt-vrf 192.168.100.1

TFTP

ip tftp source-interface GigabitEthernet0/0

AAA needs a modification to work

aaa group server tacacs+ TACACS_GROUP
 server 10.0.0.99
 server 10.0.1.99
 ip vrf forwarding Mgmt-vrf

ip tacacs source-interface GigabitEthernet0/0

SNMP

snmp-server host 10.0.0.102 vrf Mgmt-vrf version 2c YOURSTRING

That covers the essentials!