AAA Authentication and VRF-Lite

Hi!
I've run into a strange problem, when using AAA Radius authentication and VRF-Lite.
The setting is as follows. A /31 linknet is setup between PE and CE (7206/g1 and C1812), where PE sub-if is a part of an MPLS VPN, and CE uses VRF-Lite to keep the local services seperated (where more than one VPN is used..).
Access to the CE, via telnet, console etc, will be authenticated by our RADIUS servers, based on the following setup:
--> Config Begins <---
aaa new-model
aa group server radius radius-auth
server x.x.4.23 auth-port 1645 acct-port 1646
server x.x.7.139 auth-port 1645 acct-port 1646
aaa authentication login default group radius-auth local
aaa authentication enable default group radius-auth enable
radius-server host x.x.4.23 auth-port 1645 acct-port 1646 key <key>
radius-server host x.x.7.139 auth-port 1645 acct-port 1646 key <key>
ip radius source-interface <outside-if> vrf 10
---> Config Ends <---
The VRF-Lite instance is configured like this:
---> Config Begins <---
ip vrf 10
rd 65001:10
---> Config Ends <---
Now - if I remove the VRF-Lite setup, and use global routing on the CE (which is okey for a single-vpn setup), the AAA/RADIUS authentication works just fine. When I enable "ip vrf forwarding 10" on the outside and inside interface, the AAA/RADIUS service is unable to reach the two defined servers.
I compared the routing table when using VRF-Lite and global routing, and they are identical. All routes are imported via BGP correctly, and the service as a whole works without problems, in other words, the AAA/RADIUS part is the only service not working.

Just wanted to help future people as some of the answers I found here were confusing.
This is all you need from the AAA perspective:
aaa new-model
aaa group server radius RADIUS-VRF-X
server-private 192.168.1.10 auth-port 1812 acct-port 1813 key 7 003632222D6E3839240475
ip vrf forwarding X
aaa authentication login default group RADIUS-VRF-X local
aaa authorization exec default group X local if-authenticated
Per VRF AAA reference:
http://www.cisco.com/c/en/us/td/docs/ios/12_2/12_2b/12_2b4/feature/guide/12b_perv.html#wp1024168

Similar Messages

  • Cisco Nexus AAA authentication and console access

    We have nexus 7k with AAA authentication working now i have an issue i can't login using console port because my logins are rejected.Is there anyway we can login into console with local login details or we have to use ACS server (AAA) logins when connected to console (while ACS server is still reachable).
    My main question is i want to login using console port while ACS server is still reachable is it possible?

    Perhaps I am not understanding some parts of the original post and if so I would appreciate clarification of what I missed. But it seems to me that the main question in the original post is whether the original poster would be able to login on the console. And it seems to me that the high level answer is that yes login to the console should be possible. The details of how that would work are dependent on details of how the N7K is configured. If the original poster would provide some details of the configuration (especially all of the aaa authentication commands and the configuration of line con 0) we would be in a much better position to provide helpful answers.
    HTH
    Rick

  • Question to understand VRF and VRF-lite features

    Hi,
    when I look at METRO switches  Feature list I see that most of them support only "VRF-Lite".
    Does it mean that they can't work with MPLS lables and can't be placed as PE devices in cases  where we need VPN services or any kinf of "Lable-switching" services?
    Which role then does those METRO switches play in a network?

    Hello Konstantin,
    VRF lite is a subset of MPLS L3 VPN features missing MPLS forwarding plane capabilities.
    An end to end dedicated IP path is needed for each VRF, practically a VRF-lite capable device should be connected to a fully capable PE node by using a L2 trunk and dedicating at least two Vlan and two  SVI for each VRF: one towards customer and one towards PE.
    you get a multi VRF CE that can be shared by multiple customers
    a fully capable PE node uses N+1 links for N VRFs, a multiVRF CE requires 2*N logical interfaces for N VRFs
    only one MPLS enabled backbone link is needed for handling traffic of multiple VRFs in a fully capable PE node.
    in metro ethernet VRF lite multi VRF CE are used as feeders sort of satellite of PE nodes to provide an access layer to customers
    Hope to help
    Giuseppe

  • AAA authentication and authorization question

    Hi Everyone,
    I have a situation that is driving me crazy.
    I am using Cisco Freeware TACACS running on RedHat
    Enterprise Linux 3. I've modified the source code
    so that I can assign each individual users his/her
    own enable password. So far so good.
    I create two groups: group_A and group_S. group_A
    is for advanced users and group_S is for super
    users. Users that belong to group_A can have
    privilege level 15 but there are certain commands
    that they can not perform such as "write mem"
    or "reload". users that belong to group_S can do
    EVERYTHING.
    Here is my configuration on the TACACS configuration
    file:
    user = xyz {
    member = admin
    name = "User X"
    login = des 6.z8oIm9UGHo
    user = $xyz$ {
    member = admin
    name = "User X"
    login = des c2bUC43cmsac.
    user = abc {
    member = advanced
    name = "User abc"
    login = cleartext "cisco123"
    user = $abc$ {
    member = advanced
    name = "User abc"
    login = cleartext "cisco123"
    group = advanced {
    default service = deny
    cmd = show { permit .* }
    cmd = copy { permit flash }
    cmd = copy { permit running }
    cmd = ping { permit .* }
    cmd = configure { permit .* }
    cmd = enable { permit .* }
    cmd = disable { permit .* }
    cmd = telnet { permit .* }
    cmd = disconnect { permit .* }
    cmd = where { permit .* }
    cmd = set { permit .* }
    cmd = clear { permit line }
    cmd = exit { permit .* }
    group = admin {
    default service = permit
    configuration of the router:
    aaa new-model
    aaa authentication login notac none
    aaa authentication login VTY group tacacs+ local
    aaa authentication login web local enable
    aaa authentication enable default group tacacs+ enable
    aaa authorization exec notac none
    aaa authorization exec VTY group tacacs+ if-authenticated none
    aaa authorization commands 0 VTY group tacacs+ if-authenticated none
    aaa authorization commands 1 VTY group tacacs+ if-authenticated none
    aaa authorization commands 15 VTY group tacacs+ if-authenticated none
    aaa authorization network VTY group tacacs+ if-authenticated none
    aaa accounting exec TAC start-stop group tacacs+
    aaa accounting exec VTY start-stop group tacacs+
    aaa accounting commands 0 TAC start-stop group tacacs+
    aaa accounting commands 0 VTY start-stop group tacacs+
    aaa accounting commands 1 TAC start-stop group tacacs+
    aaa accounting commands 1 VTY start-stop group tacacs+
    aaa accounting commands 10 TAC start-stop group tacacs+
    aaa accounting commands 15 TAC start-stop group tacacs+
    aaa accounting commands 15 VTY start-stop group tacacs+
    aaa accounting network VTY start-stop group tacacs+
    aaa session-id common
    line vty 0 15
    exec-timeout 0 0
    authorization commands 0 VTY
    authorization commands 1 VTY
    authorization commands 15 VTY
    authorization exec VTY
    accounting commands 0 VTY
    accounting commands 1 VTY
    accounting commands 15 VTY
    accounting exec VTY
    login authentication VTY
    However, what I would like to do is to assign users
    in group_A the ability to go into "configuration t"
    but I do NOT want them to have the ability to peform
    "no tacacs-server host x.x.x.x key cisco". Furthermore,
    I would like to do everything via TACACS, I don't
    want configure "privilege level" on the router itself.
    Is that possible? Thanks.
    David

    Command Authorization Sets?Command authorization sets provide a centralized mechanism to manage TACACS+ administrative control. Driven by some of the largest enterprise and service provider networks that use Cisco Secure ACS, command authorization sets provide a method to group and name device command profiles that can be paired with users, groups of users, or network device groups. A key benefit of command authorization sets is the ability to remove any requirement of individual privilege level or command restrictions on each AAA client. This feature greatly enhances the scalability and manageability of setting device command authorization restrictions for network administrators.
    http://www.cisco.com/en/US/products/sw/secursw/ps2086/prod_release_note09186a00800ada4c.html

  • VRF Lite running in the enterprise network

    Hello everybody
    Altough VRF lite (or Mulit VRF) seems to be a Service Provider Tecnology.
    Does it make sense to use it in an Enterprise Network to isolate Networks from others ?
    I cant find any design paper which describes if this would make sense.
    What do you think. Is someone using it ? Does Cisco recommend it ?

    Yes, VRF-lite SHOULD be used in an Enterprise environment to isolate the different security classes of devices.
    In the past you would isolate different groups of users using Layer1, i.e. separate hubs either totally isolated or connected together by a router with ACLs. Since the PCs were only connected at shared 10 Mbit and the routers were such low performance and worms weren't really prevalent, this was not a big security issue at the time.
    Then we migrated to VLANs, which essentially allowed Layer2 isolation within the same switch to provide the same functionality of separating different classes of users and to break up broadcast domains. Unfortunately, everyone connected the VLANs together at Layer3 with a router (or SVI) which essentially connected everything together again! And almost no one gets the ACLs right (if at all) to isolate the VLANs from each other. In fact, in most cases every VLAN can automatically reach every other VLAN from a Layer3 or IP perspective. This is a huge security problem.
    Enter VRF-lite, essentially created by Cisco as their tag switching migrated to standards based MPLS and had a need to isolate Layer3 security domains from each other within the same switch (or router). Think of VLANs for routing tables. VRF stands for 'Virtual Route Forwarding', which basically means separate routing tables. Since VRF-lite is a per-switch feature (running locally to the switch) you will need to use other technologies to connect multiple VRF-lite switches together and keep the traffic isolated, see below.
    What makes this so secure is that there is no command within the switch to connect different VRFs together within the same switch. You would need to connect a cable between two ports on the same switch configured in different VRFs to be able to communicate between them (recent IOS 12.2SR allows tunnels with different source VRFs but that is a corner case). The reason for this is simple, remember the basis for VRF (and VRF-lite) is for a service provider to isolate multiple customers from each other within the same switch. Just like an ATM, Frame-Relay, SONET, or Optical switch, the command line makes it very difficult (or impossible) to accidentally connect 2 different customers together.
    Think about that. Even if someone was able to get ssh enable access to your switch (you aren't running telnet anymore, right?!), they CAN'T connect 2 VRFs together with any command.
    And, yes, this is highly recommended by Cisco Engineers and is actually deployed far more than you think. I have VRF-lite running on at least 10 client's networks and those are LARGE networks. VRF-lite was integrated into the environment purely to solve a Layer3 security class isolation issue. I have used Layer3 dot1q trunks on c6500 switches and tunnels to keep isolated connectivity between VRFs between switches.
    In Cisco speak, VRF-lite falls under the topic of 'Path Isolation' which is combined with other features that isolate traffic within the same network such as dot1q trunking, tunneling, VPN, policy-routing, and MPLS. Do a search on Cisco's web site for 'path isolation' and you will find a bunch of info.
    See the following URLs for a good start:
    http://www.cisco.com/en/US/netsol/ns658/networking_solutions_design_guidances_list.html
    http://www.cisco.com/en/US/netsol/ns658/netbr0900aecd804a17db.html
    http://www.cisco.com/en/US/netsol/ns658/networking_solutions_white_paper0900aecd804a17c9.shtml
    As always, rate all posts appropriately, particularly those that provide value and don't be shy about following up with additional questions or comments.
    Good luck!

  • What is VRF-Lite

    Can anyone explain what is the difference between VRF and VRF Lite. What is the main purpose/application of VRF Lite?
    Thanks in advance
    AK

    Vrf-lite is a leaner cut down version of MPLS-VRF.
    Where in MPLS-VRF you need labels for VPN traffic switching, you dont need labels in VRF-lite.
    VRF-lite mainly relies on routing using multiple virtual routing instances created for each vrf for switching traffic. There is no label switching for VRF-lite.
    Since there is no label switching, you need to populate VRF's on every hop on your network. For example |Lan--PE1---PE2---PE3--Lan|
    PE1 has 2 vrf's connected to a local lan, to route these VRF's to the other end(PE3), you will need to have dedicated interfaces(or subinterfaces on each hop and enable routing instances for each VRF on each hop.
    But with MPLS-VRF you need to just enable the VRF's on PE1 and PE3 with MPBGP and Label Switching enabled.
    So the advantage of VRF-Lite is to have virtualization of your sub-networks a smaller scale. If you have a big network, you may very well consider implementing MPLS (even though you may be an enterprise).
    HTH-Cheers,
    Swaroop

  • AAA Authentication Question

    Here is the config I have on a switch:
    aaa authentication login default group tacacs+ local
    aaa authentication login vtylogin group tacacs+ local
    aaa authentication login conlogin group tacacs+ enable none
    aaa authentication enable default tacacs+ enable
    Now here are my issues:
    1- When I login from console my login from Tacacs works, but when I type "enable" and try to use my Active Directory password it does not work.  Then I try the enable password, it does not work.  However if I change the 4th Line to "aaa authentication enable default enable", I can proceed using the enable password.
    2- My second issue is when I SSH into the switch, I only want it to use the tacacs server and only use local database when the tacacs is not available.  However even when tacacs is available I am still able to log into it using the local user account.  I am assuming that is by design?  Is there a way to stop that if it is not by design?

    But it won't use you local database unless your tacacs+ server is unavailable so I really don't see the problem.
    If the router uses your local database to authenticate then there is a communication problem with your tacacs+ server so he is using the next method listed in your command which is local database. As I said before do a debug aaa authentication and you will see the router is attempting to communicate with the tacacs+ server and only if it times out then is he going to use an alternative method if it is listed in method list.

  • Client AAA Authentication Failure

    Hi, I have configured a WLAN for AAA authentication and have configured AAA/Radius authentication on the WLC, however the clients don't get authenticated when they try to join. I have run a debug and I am getting an authentication rejected message from the radius server. Below is the output.
    Access-Challenge received from RADIUS server 10.24.12.32 for mobile x.x.x.x receiveId = 5
    *Dot1x_NW_MsgTask_4: Nov 18 15:52:47.915: x.x.x.x Processing Access-Challenge for mobile x.x.x.x
    *Dot1x_NW_MsgTask_4: Nov 18 15:52:47.915: x.x.x.x WARNING: updated EAP-Identifier 1 ===> 27 for STA x.x.x.x
    *Dot1x_NW_MsgTask_4: Nov 18 15:52:47.915: x.x.x.x Sending EAP Request from AAA to mobile x.x.x.x (EAP Id 27)
    *Dot1x_NW_MsgTask_4: Nov 18 15:52:47.935: x.x.x.x Received EAPOL EAPPKT from mobile x.x.x.x
    *Dot1x_NW_MsgTask_4: Nov 18 15:52:47.935: x.x.x.x Received EAP Response from mobile x.x.x.x (EAP Id 27, EAP Type 3)
    *aaaQueueReader: Nov 18 15:52:47.935: apfVapRadiusInfoGet: WLAN(1) dynamic int attributes srcAddr:0x0, gw:0x0, mask:0x0, vlan:0, dpPort:0, srcPort:0
    *aaaQueueReader: Nov 18 15:52:47.935: x.x.x.x Successful transmission of Authentication Packet (id 76) to 10.24.12.32:1812, proxy state x.x.x.x-00:00
    *radiusTransportThread: Nov 18 15:52:47.938: ****Enter processIncomingMessages: response code=3
    ****Enter processRadiusResponse: response code=3
    *radiusTransportThread: Nov 18 15:52:47.938: x.x.x.x Access-Reject received from RADIUS server 10.24.12.32 for mobile x.x.x.x receiveId = 5

    Thanks for the reply, I checked the logs and it shows the correct username who has attempted to login and then for the same user it shows the machine name trying to login. Could it be something to do with the client's configuration?
    Are there any specific config that needs to be made on the clients who are mostly windows based devices, the user doesn't get prompted to enter a username or password even when 802.1X is selected for the Authentication.

  • AAA authentication not working and 'default' method list

    Guys,
    I hope someone can help me here in troubleshooting AAA issue. I have copied configuration and debug below. The router keeps using local username/password even though ACS servers are reachable and working. From debugs it seems it keeps using 'default' method list ignoring TACACS config. Any help will be appreciated
    Config
    aaa new-model
    username admin privilege 15 secret 5 xxxxxxxxxx.
    aaa authentication login default group tacacs+ local
    aaa authentication enable default group tacacs+ enable
    aaa authorization console
    aaa authorization exec default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
    aaa authorization reverse-access default group tacacs+ local
    aaa accounting commands 0 default start-stop group tacacs+
    aaa accounting commands 15 default start-stop group tacacs+
    aaa accounting connection default start-stop group tacacs+
    aaa session-id common
    tacacs-server host x.x.x.x
    tacacs-server host x.x.x.x
    tacacs-server host x.x.x.x
    tacacs-server host x.x.x.x
    tacacs-server directed-request
    tacacs-server key 7 0006140E54xxxxxxxxxx
    ip tacacs source-interface Vlan200
    Debugs
    002344: Dec  5 01:36:03.087 ICT: AAA/BIND(00000022): Bind i/f
    002345: Dec  5 01:36:03.087 ICT: AAA/AUTHEN/LOGIN (00000022): Pick method list 'default'
    002346: Dec  5 01:36:11.080 ICT: AAA/AUTHEN/LOGIN (00000022): Pick method list 'default'
    core01#
    002347: Dec  5 01:36:59.404 ICT: AAA: parse name=tty0 idb type=-1 tty=-1
    002348: Dec  5 01:36:59.404 ICT: AAA: name=tty0 flags=0x11 type=4 shelf=0 slot=0 adapter=0 port=0 channel=0
    002349: Dec  5 01:36:59.404 ICT: AAA/MEMORY: create_user (0x6526934) user='admin' ruser='core01' ds0=0 port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
    002350: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Port='tty0' list='' service=CMD
    002351: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/CMD: tty0 (2162495688) user='admin'
    002352: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV service=shell
    002353: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd=configure
    002354: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd-arg=terminal
    002355: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): send AV cmd-arg=<cr>
    002356: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): found list "default"
    002357: Dec  5 01:36:59.404 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Method=tacacs+ (tacacs+)
    002358: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): user=admin
    002359: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV service=shell
    002360: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd=configure
    002361: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd-arg=terminal
    002362: Dec  5 01:36:59.404 ICT: AAA/AUTHOR/TAC+: (2162495688): send AV cmd-arg=<cr>
    Enter configuration commands, one per line.  End with CNTL/Z.
    core01(config)#
    002363: Dec  5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): Post authorization status = ERROR
    002364: Dec  5 01:37:04.261 ICT: tty0 AAA/AUTHOR/CMD (2162495688): Method=LOCAL
    002365: Dec  5 01:37:04.261 ICT: AAA/AUTHOR (2162495688): Post authorization status = PASS_ADD
    002366: Dec  5 01:37:04.261 ICT: AAA/MEMORY: free_user (0x6526934) user='admin' ruser='core01' port='tty0' rem_addr='async' authen_type=ASCII service=NONE priv=15
    core01(config)#

    Are the tacacs+ servers reachable using the source vlan 200. Also in the tacacs+ server can you check if the IP address for this device is correctly configured and also please check the pwd on both the server and this device match.
    As rick suggested sh tacacs would be good as well. That would show failures and successes
    HTH
    Kishore

  • ACE 4700 and Cisco ACS aaa authentication

    ACE version Software
    loader: Version 0.95
    system: Version A1(7b) [build 3.0(0)A1(7b)
    Cisco ACS version 4.0.1
    I am trying to authenticate admin users with AAA authentication for ACE management.
    This is what I've done:
    ACE-lab/Admin(config)# tacacs-server host 192.168.3.10 key 123456 port 49
    warning: numeric key will not be encrypted
    ACE-lab/Admin(config)# aaa group server tacacs+ cciesec
    ACE-lab/Admin(config-tacacs+)# server ?
    <A.B.C.D> TACACS+ server name
    ACE-lab/Admin(config-tacacs+)# server 192.168.3.10
    can not find the TACACS+ server
    specified TACACS+ server not found, please configure it using tacacs-server host ... and then retry
    ACE-lab/Admin(config-tacacs+)#
    Why am I getting this error? I have full
    connectivity between the ACE and the ACS
    server. Furthermore, the ACS server
    works fine with other Cisco IOS devices.
    Please help. Thanks.

    Thanks. Now I have another problem. I CAN
    log into the ACE via tacacs+ account(s).
    However, I get error when I try going into
    configuration mode:
    ACE-lab login: ngx1
    Password:
    Cisco Application Control Software (ACSW)
    TAC support: http://www.cisco.com/tac
    Copyright (c) 1985-2007 by Cisco Systems, Inc. All rights reserved.
    The copyrights to certain works contained herein are owned by
    other third parties and are used and distributed under license.
    Some parts of this software are covered under the GNU Public
    License. A copy of the license is available at
    http://www.gnu.org/licenses/gpl.html.
    ACE-lab/Admin# conf t
    ^
    % invalid command detected at '^' marker.
    ACE-lab/Admin#
    The ngx1 account can access other Cisco
    routers/switches just fine and can go into
    enable mode just fine. Only issue on the ACE.
    Any ideas? Thanks.

  • Running vrf-lite and dhcp server see 0.0.0.0 as giaddr

    Im running vrf-lite and our dhcp server see only 0.0.0.0.  Im able to ping vlan10, and see the dhcp request. Running on a 2811.  I have limited access to device.  Do I need to turn on Dhcp-relay?  Verifing ip forward-protocol.  Do i need to add " vrf WISP to my helper-address?  The interface it sends Dhcp request is also within the vrf.  The dhcp scope is part of Vlan10 subnet
    int vlan 10
    ip vrf forward WISP
    ip add x.x.x.x s.s.s.192
    ip helper-address x.x.x.x

    Yes and no.  It uses another interface thats within the same vrf Wisp.  On the other end of the vrf it is forwarded to our global dhcp server.  in bold is where the unicast packet are going using the defaultroute
    int fast0/0.1
    encap dot1q 1
    ip vrf forwarding WISP
    ip add 172.16.6.2 255.255.255.252
    int vlan 10
    ip vrf forward WISP
    ip add 66.223.195.129 255.255.255.192
    ip helper-address 208.138.129.49
    ip route vrf WISP 0.0.0.0 0.0.0.0 172.16.6.1

  • CSM VRF Lite OSPF and IPSEC/GRE

    We have a pretty complex vpn configuration. Its a site-to-site VRF-Lite GRE/IPSEC VPN that would be considered a point-to-point, each router is connected to two peers in a ring.
    CSM complains about discovering this VPN configuration due to the VRF and the fact that OSPF with multiple OSPF processes is not supported.
    My question is, can we still monitor the tunnels. We'd like to monitor the tunnels, but that seems impossible unless we can get CSM to see the tunnels which it currently is not.

    VRF Lite and MPLS-VPN act independently so they can work independently. And there is no specific need for mapping. If link is for VRF A on PE so you can make it part of vrf A in CE as well. Both VRFs are independent of each other.
    http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00801cddd9.html#1045190
    THis document is for 4500 but logic holds the same.

  • VRF lite and MPLS VRFs

    We have a CE router connected to PE router. The CE router is connected via 2 links to the PE router, because we need to create two VRFs on the PE for the traffic coming from the CE to separate the traffic, so we have one vrf per link. We are running OSPF between CE and PE.. Now we need to further separate the traffic up to the CE, so I’m thinking of using the VRF lite on the CE.. Can MPLS work with the VRF lite, and how to map the VRF lite VRFs on the CE to the MPLS VPN on the PE?
    Is there any config examples?
    Thanks in advance

    VRF Lite and MPLS-VPN act independently so they can work independently. And there is no specific need for mapping. If link is for VRF A on PE so you can make it part of vrf A in CE as well. Both VRFs are independent of each other.
    http://www.cisco.com/en/US/products/hw/switches/ps4324/products_configuration_guide_chapter09186a00801cddd9.html#1045190
    THis document is for 4500 but logic holds the same.

  • PIX 525 aaa authentication with both tacacs and local

    Hi,
    I have configured the aaa authentication for the PIX with tacacs protocol (ACS Server).
    It works fine, now i would like to add the back up authentication, as follows:
    - If the ACS goes down i can to be authenticated with the local database.
    Is it possible with PIX, if yes how?

    Hi,
    I am trying to configure aaa using TACACS+ , i am not able to close.Problems are
    1.It dosent ask for username /password in first level.
    2.on second level it asks for user name it dosent authenticate the user .
    Cud u pls let me know if the following config is correct.If not cud u help me .
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ (outside) host ip.ip.ip.ip key timeout 15
    aaa-server RADIUS protocol radius
    aaa-server LOCAL protocol local
    aaa authentication include tcp/0 inside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
    aaa authentication include tcp/0 outside 0.0.0.0 0.0.0.0 0.0.0.0 0.0.0.0 TACACS+
    aaa authen enable console TACACS+

  • Dial-In access to VRF Lite (MPLS VPN)

    Hi,
    I'm trying to implement a solution, that gives opportunity to dial-in to some specific customers VPN (VRF Lite)
    Configuration of NAS is done using cisco.com guide and seems OK. NAS is using RADIUS to authenticate users, and if authenticated, RADIUS sends a specific users virtual-profile configuration to NAS. So far everything seems OK. I can dial-in, succesfuly authenticate against RADIUS and download the virtual-profile configration (DEBUG is pasted below).
    BUT, even there is a command "virtual-profile aaa", and RADIUS sends all info, Virtual-Access interface isn't created or it is created without any configuration.
    Maybe this is happening because I'm using dialer-profile ? Some cisco documentation says that if there are dialer-profiles configured, virtual-profile configuration cann't be downloaded from AAA ???
    Here is debug, You can see RADIUS to NAS communication:
    Aug 24 07:59:59: %LINK-3-UPDOWN: Interface Serial2/0:26, changed state to up
    Aug 24 08:00:00: RADIUS(000000A1): Storing nasport 20026 in rad_db
    Aug 24 08:00:00: RADIUS(000000A1): Config NAS IP: 0.0.0.0
    Aug 24 08:00:00: RADIUS/ENCODE(000000A1): acct_session_id: 247
    Aug 24 08:00:00: RADIUS(000000A1): sending
    Aug 24 08:00:00: RADIUS/ENCODE: Best Local IP-Address xxx.xxx.xxx.xxx for Radius-Server xxx.xxx.xxx.xxx
    Aug 24 08:00:00: RADIUS(000000A1): Send Access-Request to xxx.xxx.xxx.xxx:1645 id 21646/40, len 113
    Aug 24 08:00:00: RADIUS: authenticator C9 98 61 51 0F FF 0F C8 - FA A2 3E C1 5E 80 13 0E
    Aug 24 08:00:00: RADIUS: Framed-Protocol [7] 6 PPP [1]
    Aug 24 08:00:00: RADIUS: User-Name [1] 6 "vrft"
    Aug 24 08:00:00: RADIUS: CHAP-Password [3] 19 *
    Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 20
    Aug 24 08:00:00: RADIUS: cisco-nas-port [2] 14 "Serial2/0:26"
    Aug 24 08:00:00: RADIUS: NAS-Port [5] 6 20026
    Aug 24 08:00:00: RADIUS: NAS-Port-Type [61] 6 ISDN [2]
    Aug 24 08:00:00: RADIUS: Calling-Station-Id [31] 9 "xxxxxxx"
    Aug 24 08:00:00: RADIUS: Called-Station-Id [30] 9 "xxxxxxx"
    Aug 24 08:00:00: RADIUS: Service-Type [6] 6 Framed [2]
    Aug 24 08:00:00: RADIUS: NAS-IP-Address [4] 6 xxx.xxx.xxx.xxx
    Aug 24 08:00:00: RADIUS: Received from id 21646/40 xxx.xxx.xxx.xxx:1645, Access-Accept, len 277
    Aug 24 08:00:00: RADIUS: authenticator 8D E7 52 2A 4B 72 88 9E - B8 85 38 CF 70 4A B7 79
    Aug 24 08:00:00: RADIUS: Service-Type [6] 6 Framed [2]
    Aug 24 08:00:00: RADIUS: Framed-Protocol [7] 6 PPP [1]
    Aug 24 08:00:00: RADIUS: Framed-IP-Address [8] 6 10.10.8.5
    Aug 24 08:00:00: RADIUS: Framed-IP-Netmask [9] 6 255.255.255.240
    Aug 24 08:00:00: RADIUS: Framed-Compression [13] 6 VJ TCP/IP Header Compressi[1]
    Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 54
    Aug 24 08:00:00: RADIUS: Cisco AVpair [1] 48 "lcp:interface-config#1= ip vrf forwarding test"
    Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 68
    Aug 24 08:00:00: RADIUS: Cisco AVpair [1] 62 "lcp:interface-config#2= ip address 10.10.8.1 255.255.255.240"
    Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 50
    Aug 24 08:00:00: RADIUS: Cisco AVpair [1] 44 "lcp:interface-config#3= description horray"
    Aug 24 08:00:00: RADIUS: Vendor, Cisco [26] 49
    Aug 24 08:00:00: RADIUS: Cisco AVpair [1] 43 "lcp:interface-config#4= encapsulation ppp"
    Aug 24 08:00:00: RADIUS: Framed-Routing [10] 6 0
    Aug 24 08:00:00: RADIUS(000000A1): Received from id 21646/40
    Aug 24 08:00:00: %ISDN-6-CONNECT: Interface Serial2/0:26 is now connected to xxxxxxx vrft
    Aug 24 08:00:00: %LINK-3-UPDOWN: Interface Serial2/0:26, changed state to down
    Please let me know if any other information is required.

    Besides, as I see, virtual-access interface's description is as configured on RADIUS, but all other configuration is from virtual-template. Why? Even if there are no overlapping configuration strings in Vtemplate and on AAA (like ip address etc), configuration string received from RADIUS isn't getting added to virtual-access interface configuration.

Maybe you are looking for

  • MacBook Pro White screen, No apple logo, No question mark

    Hi guys I've MacBook pro 13 2010 model The Laptop turn on all the time when i press power button but  It's stuck in white screen ( without apple logo ) .  With hard drive connected or no hard drive i still can't see the question mark folder What i've

  • Albums split up on itouch, but not in itunes.

    when I upload certain albums onto my itouch, one or two songs will be separated into the same album, and album art but not as one whole album. I have tried to upload the album again, but the same thing happened. This doesn't happen on my ipod classic

  • How to I reset a second hand i phone

    I have bought a second hand I Phone 4 and want to know how t reset it and clear all previous data, thanks Mel

  • Is there a way to hide the status bar when reading a book in iBooks?

    Every other ereader app seems to hide the status bar (at the top of the screen, with battery etc) automatically, or there is a setting to do so. I can't seem to be able to do this in iBooks. What am I missing?

  • Adding MacBook to home network

    In my house all we have are Microsoft computers, and I'm thinking about asking my parents for a MacBook for Christmas. I'd like to know if the notebook will work on our wireless home network. Is there anything special that needs to be done, or can I