aryobaPremium,MVM
join:2002-08-22
kudos:3
2 edits | reply to krock83
Re: TACACS+ problems said by krock83:I see that I have to specify a source-interface does this interface have to route to anything or can it be just an virtual interface with an non rotatable block?
A TACACS+ source interface has to be reachable through the network from the TACACS+ server's perspective. Best practice is to have a loopback interface as the source interface since the interface never goes down unless the router itself is down. If you use non-loopback interface (i.e. virtual interface) as source interface, then the router may not be able to talk to the TACACS+ server once the non-loopback interface is down hence causing you unable to login using TACACS+ credential.
Since you mention there is a firewall in place (ASA) between the router and the TACACS+ server, make sure the ASA allows the TACACS+ source interface IP address as source IP address to pass through the ASA to reach the destination of the TACACS+ server IP address on TCP port 49 (the TCP port the TACACS+ server uses to talk).
Further, make sure the firewall has sufficient license to pass through the maximum amount of TCP packets the TACACS+ server uses to communicate with its client. If let's say the firewall only has license to pass through a maximum amount of 10 TCP packets and the TACACS+ server uses more than 10 TCP packets to communicate with its client, then the TACACS+ communication breaks. |
