Cisco IOS Software Releases 12.3 T

Table Of Contents

Per VRF for TACACS+ Servers

Contents

Prerequisites for Per VRF for TACACS+ Servers

Restrictions for Per VRF for TACACS+ Servers

Information About Per VRF for TACACS+ Servers

Per VRF for TACACS+ Servers Overview

How to Configure Per VRF for TACACS+ Servers

Configuring Per VRF on a TACACS+ Server

Verifying Per VRF for TACACS+ Servers

Configuration Examples for Per VRF for TACACS+ Servers

Configuring Per VRF for TACACS+ Servers: Example

Additional References

Related Documents

Standards

MIBs

RFCs

Technical Assistance

Command Reference

ip tacacs source-interface

ip vrf forwarding (server-group)

server-private (TACACS+)

Per VRF for TACACS+ Servers

---

The Per VRF for TACACS+ Servers feature allows you to configure per virtual route forwarding (per VRF) authentication, authorization, and accounting (AAA) on TACACS+ servers.

Feature History for Per VRF for TACACS+ Servers

Release	Modification
12.3(7)T	This feature was introduced.

Finding Support Information for Platforms and Cisco IOS Software Images

Use Cisco Feature Navigator to find information about platform support and Cisco IOS software image support. Access Cisco Feature Navigator at http://www.cisco.com/go/fn. You must have an account on Cisco.com. If you do not have an account or have forgotten your username or password, click Cancel at the login dialog box and follow the instructions that appear.

Contents

•Prerequisites for Per VRF for TACACS+ Servers

•Restrictions for Per VRF for TACACS+ Servers

•Information About Per VRF for TACACS+ Servers

•How to Configure Per VRF for TACACS+ Servers

•Configuration Examples for Per VRF for TACACS+ Servers

•Additional References

•Command Reference

Prerequisites for Per VRF for TACACS+ Servers

•You must have access to a TACACS+ server.

•You should be familiar with configuring TACACS+.

•You should be familiar with configuring AAA and per VRF AAA.

•You should be familiar with configuring group servers.

Restrictions for Per VRF for TACACS+ Servers

•You must define the VRF instance before you can configure per VRF for a TACACS+ server.

Information About Per VRF for TACACS+ Servers

To configure the Per VRF for TACACS+ Servers feature, you should understand the following concept:

•Per VRF for TACACS+ Servers Overview

Per VRF for TACACS+ Servers Overview

The Per VRF for TACACS+ Servers feature allows you to configure per VRF AAA on TACACS+ servers. Prior to Cisco IOS Release 12.3(7)T, this functionality was available only on RADIUS servers.

How to Configure Per VRF for TACACS+ Servers

This section contains the following procedures:

•Configuring Per VRF on a TACACS+ Server (required)

•Verifying Per VRF for TACACS+ Servers (optional)

Configuring Per VRF on a TACACS+ Server

Before configuring per VRF on a TACACS+ server, you must have configured AAA and a server group. Then you are ready to create the VRF routing table, as shown in Steps 3 and 4 of the DETAILED STEPS table below. At that point, you need to configure the interface, which is shown in Steps 6, 7, and 8 of the table. The actual configuration of per VRF on a TACACS+ server is configured in Steps 10 through 13 of the table.

SUMMARY STEPS

1. enable

2. configure terminal

3. ip vrf vrf-name

4. rd route-distinguisher

5. exit

6. interface interface-name

7. ip vrf forwarding vrf-name

8. ip address ip-address mask [secondary]

9. exit

10. aaa group server tacacs+ group-name

11. server-private {ip-address | name} [nat] [single-connection] [port port-number] [timeout seconds] [key [0 | 7] string]

12. ip vrf forwarding vrf-name

13. ip tacacs source-interface subinterface-name

14. exit

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	configure terminal Example: Router# configure terminal	Enters global configuration mode.
Step 3	ip vrf vrf-name Example: Router (config)# ip vrf cisco	Configures a VRF table and enters VRF configuration mode.
Step 4	rd route-distinguisher Example: Router (config-vrf)# rd 100:1	Creates routing and forwarding tables for a VRF instance.
Step 5	exit Example: Router (config-vrf)# exit	Exits VRF configuration mode.
Step 6	interface interface-name Example: Router (config)# interface Loopback0	Configures an interface and enters interface configuration mode.
Step 7	ip vrf forwarding vrf-name Example: Router (config-if)# ip vrf forwarding cisco	Configures a VRF for the interface.
Step 8	ip address ip-address mask [secondary] Example: Router (config-if)# ip address 10.0.0.2 255.0.0.0	Sets a primary or secondary IP address for an interface.
Step 9	exit Example: Router (config-if)# exit	Exits interface configuration mode.
Step 10	aaa group server tacacs+ group-name Example: Router (config)# aaa group server tacacs+ tacacs1	Groups different TACACS+ server hosts into distinct lists and distinct methods and enters server-group configuration mode.
Step 11	server-private {ip-address | name} [nat] [single-connection] [port port-number] [timeout seconds] [key [0 | 7] string] Example: Router (config-sg-tacacs+)# server-private 10.1.1.1 port 19 key cisco	Configures the IP address of the private TACACS+ server for the group server.
Step 12	ip vrf forwarding vrf-name Example: Router (config-sg-tacacs+)# ip vrf forwarding cisco	Configures the VRF reference of a AAA TACACS+ server group.
Step 13	ip tacacs source-interface subinterface-name Example: Router (config-sg-tacacs+)# ip tacacs source-interface Loopback0	Uses the IP address of a specified interface for all outgoing TACACS+ packets.
Step 14	exit Example: Router (config-sg-tacacs)# exit	Exits server-group configuration mode.

Verifying Per VRF for TACACS+ Servers

To verify your per VRF TACACS+ configuration, you can perform the following steps. The debug commands may be used in any order.

SUMMARY STEPS

1. enable

2. debug tacacs authentication

3. debug tacacs authorization

4. debug tacacs accounting

5. debug tacacs packets

DETAILED STEPS

	Command or Action	Purpose
Step 1	enable Example: Router> enable	Enables privileged EXEC mode. •Enter your password if prompted.
Step 2	debug tacacs authentication Example: Router# debug tacacs authentication	Displays information about AAA/TACACS+ authentication.
Step 3	debug tacacs authorization Example: Router# debug tacacs authorization	Displays information about AAA/TACACS+ authorization.
Step 4	debug tacacs accounting Example: Router# debug tacacs accounting	Displays information about accountable events as they occur.
Step 5	debug tacacs packets Example: Router# debug tacacs packets	Displays information about TACACS+ packets.

Configuration Examples for Per VRF for TACACS+ Servers

This section includes the following configuration example:

•Configuring Per VRF for TACACS+ Servers: Example

Configuring Per VRF for TACACS+ Servers: Example

The following output example shows that the group server tacacs1 has been configured for per VRF AAA services:

aaa group server tacacs+ tacacs1

    server-private 10.1.1.1 port 19 key cisco

    ip vrf forwarding cisco

    ip tacacs source-interface Loopback0

  ip vrf cisco

   rd 100:1

  interface Loopback0

   ip address 10.0.0.2 255.0.0.0

   ip vrf forwarding cisco

Additional References

The following sections provide references related to Per VRF for TACACS+ Servers.

Related Documents

Related Topic	Document Title
Configuring TACACS+	"Configuring TACACS+" chapter of the "Security Server Protocols" section of the Cisco IOS Security Configuration Guide
Per VRF AAA	Per VRF AAA
Cisco IOS commands	Cisco Master Commands list, Release 12.4T
Security commands	Cisco IOS Security Commands, Release 12.4T

Standards

Standards	Title
No new or modified standards are supported by this feature, and support for existing standards has not been modified by this feature.	—

MIBs

MIBs	MIBs Link
No new or modified MIBs are supported by this feature, and support for existing MIBs has not been modified by this feature.	To locate and download MIBs for selected platforms, Cisco IOS releases, and feature sets, use Cisco MIB Locator found at the following URL: http://www.cisco.com/go/mibs

RFCs

RFCs	Title
No new or modified RFCs are supported by this feature, and support for existing RFCs has not been modified by this feature.	—

Technical Assistance

Description	Link
The Cisco Technical Support & Documentation website contains thousands of pages of searchable technical content, including links to products, technologies, solutions, technical tips, and tools. Registered Cisco.com users can log in from this page to access even more content.	http://www.cisco.com/techsupport

Command Reference

This section documents modified commands only.

•ip tacacs source-interface

•ip vrf forwarding (server-group)

•server-private (TACACS+)

ip tacacs source-interface

To use the IP address of a specified interface for all outgoing TACACS+ packets, use the ip tacacs source-interface command in global configuration or server-group configuration mode. To disable use of the specified interface IP address, use the no form of this command.

ip tacacs source-interface subinterface-name

no ip tacacs source-interface

Syntax Description

subinterface-name

Name of the interface that TACACS+ uses for all of its outgoing packets.

Defaults

No default behavior or values.

Command Modes

Global configuration

Server-group configuration

Command History

Release	Modification
10.0	This command was introduced.
12.3(7)T	This command was introduced in server-group configuration mode.

Usage Guidelines

Use this command to set the IP address of a subinterface for all outgoing TACACS+ packets. This address is used as long as the interface is in the up state. In this way, the TACACS+ server can use one IP address entry associated with the network access client instead of maintaining a list of all IP addresses.

This command is especially useful in cases where the router has many interfaces and you want to ensure that all TACACS+ packets from a particular router have the same IP address.

The specified interface must have an IP address associated with it. If the specified subinterface does not have an IP address or is in a down state, TACACS+ reverts to the default. To avoid this situation, add an IP address to the subinterface or bring the interface to the up state.

---

Note This command can be configured globally or in server-group configuration mode. If this command is configured in the server-group configuration mode, the IP address of the specified interface is used for packets that are going only to servers that are defined in that server group. If this command is not configured in server-group configuration mode, the global configuration applies.

---

Examples

The following example makes TACACS+ use the IP address of subinterface "s2" for all outgoing TACACS+ packets:

ip tacacs source-interface s2

In the following example, TACACS+ is to use the IP address of Loopback0 for packets that are going only to server 10.1.1.1:

aaa group server tacacs+ tacacs1

    server-private 10.1.1.1 port 19 key cisco

    ip vrf forwarding cisco

    ip tacacs source-interface Loopback0

  ip vrf cisco

   rd 100:1

  interface Loopback0

   ip address 10.0.0.2 255.0.0.0

   ip vrf forwarding cisco

Related Commands

Command	Description
ip radius source-interface	Forces RADIUS to use the IP address of a specified interface for all outgoing RADIUS packets.
ip telnet source-interface	Allows a user to select an address of an interface as the source address for Telnet connections.
ip tftp source-interface	Allows a user to select the interface whose address will be used as the source address for TFTP connections.
ip vrf forwarding (server-group)	Configures the VRF reference of an AAA RADIUS or TACACS+ server group.
server-private	Configures the IP address of the private RADIUS or TACACS+ server for the group server.

ip vrf forwarding (server-group)

To configure the Virtual Private Network (VPN) routing and forwarding (VRF) reference of an authentication, authorization, and accounting (AAA) RADIUS or TACACS+ server group, use the ip vrf forwarding command in server-group configuration mode. To enable server groups to use the global (default) routing table, use the no form of this command.

ip vrf forwarding vrf-name

no ip vrf forwarding vrf-name

Syntax Description

vrf-name

Name assigned to a VRF.

Defaults

Server groups use the global routing table.

Command Modes

Server-group configuration

Command History

Release	Modification
12.2(2)DD	This command was introduced on the Cisco 7200 series and Cisco 7401ASR.
12.2(4)B	This command was integrated into Cisco IOS Release 12.2(4)B.
12.2(13)T	This command was integrated into Cisco IOS Release 12.2(13)T.
12.3(7)T	Functionality was added for TACACS+ servers.

Usage Guidelines

Use the ip vrf forwarding command to specify a VRF for a AAA RADIUS or TACACS+ server group. This command enables dial users to utilize AAA servers in different routing domains.

Examples

The following example shows how to configure the VRF user to reference the RADIUS server in a different VRF server group:

aaa group server radius sg_global

 server-private 172.16.0.0 timeout 5 retransmit 3

!

aaa group server radius sg_water

 server-private 10.10.0.0 timeout 5 retransmit 3 key water

 ip vrf forwarding water

The following example shows how to configure the VRF user to reference the TACACS+ server in the server group tacacs1:

aaa group server tacacs+ tacacs1

    server-private 1.1.1.1 port 19 key cisco

    ip vrf forwarding cisco

    ip tacacs source-interface Loopback0

  ip vrf cisco

   rd 100:1

  interface Loopback0

   ip address 10.0.0.2 255.0.0.0

   ip vrf forwarding cisco

Related Commands

Command	Description
aaa group server radius	Groups different RADIUS server hosts into distinct lists and distinct methods.
ip tacacs source-interface	Uses the IP address of a specified interface for all outgoing TACACS+ packets.
ip vrf forwarding (server-group)	Configures the VRF reference of an AAA RADIUS or TACACS+ server group.
server-private	Configures the IP address of the private RADIUS server for the group server.

server-private (TACACS+)

To configure the IP address of the private TACACS+ server for the group server, use the server-private command in server-group configuration mode. To remove the associated private server from the authentication, authorization, and accounting (AAA) group server, use the no form of this command.

server-private {ip-address | name} [nat] [single-connection] [port port-number] [timeout seconds] [key [0 | 7] string]

no server-private

Syntax Description

ip-address	IP address of the private RADIUS or TACACS+ server host.
name	Name of the private RADIUS or TACACS+ server host.
nat	(Optional) Port Network Address Translation (NAT) address of the remote device. This address is sent to the TACACS+ server.
single-connection	(Optional) Maintains a single open connection between the router and the TACACS+ server.
port port-number	(Optional) Specifies a server port number. This option overrides the default, which is port 49.
timeout seconds	(Optional) Specifies a timeout value. This overrides the global timeout value set with the tacacs-server timeout command for this server only.
key [0 | 7]	(Optional) Specifies an authentication and encryption key. This must match the key used by the TACACS+ daemon. Specifying this key overrides the key set by the global command tacacs-server key for this server only. •If no number or 0 is entered, the string that is entered is considered to be plain text. If 7 is entered, the string that is entered is considered to be encrypted text.
string	(Optional) Character string specifying the authentication and encryption key.

Defaults

If server-private parameters are not specified, global configurations will be used; if global configurations are not specified, default values will be used.

Command Modes

Server-group configuration

Command History

Release	Modification
12.3(7)T	This command was introduced.

Usage Guidelines

Use the server-private command to associate a particular private server with a defined server group. To prevent possible overlapping of private addresses between virtual route forwardings (VRFs), private servers (servers with private addresses) can be defined within the server group and remain hidden from other groups, while the servers in the global pool (default "TACACS+" server group) can still be referred to by IP addresses and port numbers. Thus, the list of servers in server groups includes references to the hosts in the global configuration and the definitions of private servers.

Examples

The following example shows how to define the tacacs1 TACACS+ group server and associate private servers with it:

aaa group server tacacs+ tacacs1

    server-private 10.1.1.1 port 19 key cisco

  ip vrf cisco

   rd 100:1

  interface Loopback0

   ip address 10.0.0.2 255.0.0.0

   ip vrf forwarding cisco

Related Commands

Command	Description
aaa group server	Groups different server hosts into distinct lists and distinct methods.
aaa new-model	Enables the AAA access control model.
ip tacacs source-interface	Uses the IP address of a specified interface for all outgoing TACACS+ packets.
ip vrf forwarding (server-group)	Configures the VRF reference of an AAA RADIUS or TACACS+ server group.
tacacs-server host	Specifies a TACACS+ server host.

Any Internet Protocol (IP) addresses used in this document are not intended to be actual addresses. Any examples, command display output, and figures included in the document are shown for illustrative purposes only. Any use of actual IP addresses in illustrative content is unintentional and coincidental.

Copyright © 2003-2006 Cisco Systems, Inc. All rights reserved.