TACACS+ and IPv6

Hi,
I am setting up a server with TACACS+ to test with IPv6 - is there an update that I can do to enable the software to listen and respond on IPv6 (tacacs+-F4.0.4.18)....
Thanks

Yes.
If you want to run both TACACS+ and RADIUS for the same network device (eg. AP1200 with radius for clients and TACACS+ for telnet), then you would have to use a difference device name for each option on the ACS.
eg. For radius you would use the device name ukwap1200-001 and for tacacs+ maybe ukwap1200-001-T

Similar Messages

Does ISE 1.1 support TACACS and H-REAP?

Hello,
Does ISE1.1 support TACACS/TACACS+ and H-REAP mode ?
Also, customer wants to have quick access to the corporate network with some few laptops without going through the Actice Directory? Any suggestion on this?
Thanks
Olu

EAP-TLS does not rely on AD.
CA root cert is installed on ACS for trust and identity.
you can elect to Perform Binary Certificate Comparison with Certificate retrieved from LDAP or Active Directory
Users and Identity Stores >
Certificate Authentication Profile >
Edit: "CN Username"
see the checkbox at the bottom.
I do EAP TLS machine auth only without integrating AD into the policy at all.
hth,
jk

Cisco IOS Zone Based Firewall and IPv6

Hello,
I am trying to setup IPv6 tunnel to tunnel-broker Hurrican Electrics. IPv6 connection is working OK only if I disable zone security on WAN interface (Fe0 - IPv4 interface).
Which protocols must be alloved to and from router?
IOS version: 15.1.2T1 (Adv.ip services)
Setup:
HE (tunnel-broker) --- Internet (IPv4) ---- Cisco 1812 (Fe0 (IPv4) and interface tunnel 1 (IPv6))
Config on router:
IPv4 (self to internet and internet to self)
policy-map type inspect Outside2Router-pmap
class type inspect SSHaccess-cmap
inspect
class type inspect ICMP-cmap
inspect
class type inspect IPSEC-cmap
pass
class type inspect Protocol41-cmap
pass log
class class-default
drop
interface Tunnel1
description Hurricane Electric IPv6 Tunnel Broker
no ip address
zone-member security IPv6tunnel
ipv6 address 2001:47:25:105B::2/64
ipv6 enable
ipv6 mtu 1300
tunnel source FastEthernet0
tunnel mode ipv6ip
tunnel destination xxx.66.80.98
interface FastEthernet0
description WAN interface
ip address xxx.xxx.252.84 255.255.0.0
no ip redirects
no ip unreachables
no ip proxy-arp
zone-member security WAN
duplex auto
speed auto
zone-pair security IPv6Tunnel_2_WAN source IPv6tunnel destination WAN
service-policy type inspect IPv6-out-pmap
zone-pair security WAN_2_IPv6tunnel source WAN destination IPv6tunnel
service-policy type inspect IPv6-out-pmap
policy-map type inspect IPv6-out-pmap
class type inspect IPv6-internet-class
inspect
class class-default
drop
class-map type inspect match-all IPv6-internet-class
match protocol tcp
match protocol udp
match protocol icmp
match protocol ftp
ipv6 route ::/0 Tunnel1
ipv6 unicast-routing
ipv6 cef
parameter-map type inspect v6-param-map
ipv6 routing-header-enforcement loose
sessions maximum 10000

OK, removed the cmap the packet was getting dropped on, so the current self to wan zone-pair policy map looks like this:
policy-map type inspect pm-selftowan
class type inspect cm-selftowan-he-out
inspect
class type inspect cm-dhcpwan
pass
class class-default
drop
class-map type inspect match-all cm-selftowan-he-out
match access-group name HETunnelOutbound
ip access-list extended HETunnelOutbound
permit 41 any any
permit ip any host 64.62.200.2
permit ip any host 66.220.2.74
permit ip any host 216.66.80.26
Now we see the same error, just on the 'new' first cmap in the pmap:
*Oct 5 02:39:31.316 GMT: %FW-6-DROP_PKT: Dropping Unknown-l4 session :0 216.66.80.26:0 on zone-pair selftowan class cm-selftowan-he-out due to Invalid Segment with ip ident 0
Yet as you can see above, we are allowing proto 41 any any.
I didn't expect any other result really since the previous cmap had 'permit ip any any' but still
any ideas?
Thanks,
//TrX
EDIT: Out of curiosity after reading this post: https://supportforums.cisco.com/thread/2043222?decorator=print&displayFullThread=true
I decided to change the outbound cm-selftowan-he-out action to 'pass'.
I suddently noticed the following log:
*Oct 5 02:39:31.316 GMT: %FW-6-DROP_PKT: Dropping Unknown-l4 session 216.66.80.26:0 :0 on zone-pair wantoself class cm-wantoself-he-in due to Invalid Segment with ip ident 0
Notice this is now inbound having trouble where as before was outbound.
I changed the inbound pmap policy for cmap cm-wantoself-he-in to pass also and IPv6 PACKETS ARE GETTING ICMP6 REPLIES FROM GOOGLE!
Looking at the original outbound PMAP:
policy-map type inspect pm-selftowan
class type inspect cm-selftowan
inspect
class type inspect cm-selftowan-he-out
inspect
class type inspect cm-dhcpwan
pass
class class-default
drop
cm-selftowan has always been infront of cm-selftowan-he-out, and because that is ip any any, it has been 'grabbing' the IP proto 41 packets and doing ip inspect on them (which fails as it seems ip inspect only handles a handful of proto's).
This is why setting cm-selftowan-he-out and cm-wantoself-he-in both to 'pass' instead of 'inspect' in the past has not been doing anything, because the outbound packets were never getting to the cm-selftowan-he-out cmap.
Would never have got to this without ip inspect log. Why didn't I think of just trying ip inspect logging two days ago!
Anyway, thank you, I have now restored my faith in my own knowledge of ZBF!
Hope this helps the OP too
//TrX

Cisco ISE with TACACS+ and RADIUS both?

Hello,
I am initiating wired authentication on an existing network using Cisco ISE. I have been studying the requirements for this. I know I have to turn on RADIUS on the Cisco switches on the network. The switches on the network are already programmed for TACACS+. Does anybody know if they can both operate on the same network at the same time?
Bob

Hello Robert,
I believe NO, they both won't work together as both TACACS and Radius are different technologies.
It's just because that TACACS encrypts the whole message and Radius just the password, so I believe it won't work.
For your reference, I am sharing the link for the difference between TACACS and Radius.
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a0080094e99.shtml
Moreover, Please review the information as well.
Compare TACACS+ and RADIUS
These sections compare several features of TACACS+ and RADIUS.
UDP and TCP
RADIUS uses UDP while TACACS+ uses TCP. TCP offers several advantages over UDP. TCP offers a connection-oriented transport, while UDP offers best-effort delivery. RADIUS requires additional programmable variables such as re-transmit attempts and time-outs to compensate for best-effort transport, but it lacks the level of built-in support that a
TCP transport offers:
TCP usage provides a separate acknowledgment that a request has been received, within (approximately) a network round-trip time (RTT), regardless of how loaded and slow the backend authentication mechanism (a TCP acknowledgment) might be.
TCP provides immediate indication of a crashed, or not running, server by a reset (RST). You can determine when a server crashes and returns to service if you use long-lived TCP connections. UDP cannot tell the difference between a server that is down, a slow server, and a non-existent server.
Using TCP keepalives, server crashes can be detected out-of-band with actual requests. Connections to multiple servers can be maintained simultaneously, and you only need to send messages to the ones that are known to be up and running.
TCP is more scalable and adapts to growing, as well as congested, networks.
Packet Encryption
RADIUS encrypts only the password in the access-request packet, from the client to the server. The remainder of the packet is unencrypted. Other information, such as username, authorized services, and accounting, can be captured by a third party.
TACACS+ encrypts the entire body of the packet but leaves a standard TACACS+ header. Within the header is a field that indicates whether the body is encrypted or not. For debugging purposes, it is useful to have the body of the packets unencrypted. However, during normal operation, the body of the packet is fully encrypted for more secure communications.
Authentication and Authorization
RADIUS combines authentication and authorization. The access-accept packets sent by the RADIUS server to the client contain authorization information. This makes it difficult to decouple authentication and authorization.
TACACS+ uses the AAA architecture, which separates AAA. This allows separate authentication solutions that can still use TACACS+ for authorization and accounting. For example, with TACACS+, it is possible to use Kerberos authentication and TACACS+ authorization and accounting. After a NAS authenticates on a Kerberos server, it requests authorization information from a TACACS+ server without having to re-authenticate. The NAS informs the TACACS+ server that it has successfully authenticated on a Kerberos server, and the server then provides authorization information.
During a session, if additional authorization checking is needed, the access server checks with a TACACS+ server to determine if the user is granted permission to use a particular command. This provides greater control over the commands that can be executed on the access server while decoupling from the authentication mechanism.
Multiprotocol Support
RADIUS does not support these protocols:
AppleTalk Remote Access (ARA) protocol
NetBIOS Frame Protocol Control protocol
Novell Asynchronous Services Interface (NASI)
X.25 PAD connection
TACACS+ offers multiprotocol support.
Router Management
RADIUS does not allow users to control which commands can be executed on a router and which cannot. Therefore, RADIUS is not as useful for router management or as flexible for terminal services.
TACACS+ provides two methods to control the authorization of router commands on a per-user or per-group basis. The first method is to assign privilege levels to commands and have the router verify with the TACACS+ server whether or not the user is authorized at the specified privilege level. The second method is to explicitly specify in the TACACS+ server, on a per-user or per-group basis, the commands that are allowed.
Interoperability
Due to various interpretations of the RADIUS Request for Comments (RFCs), compliance with the RADIUS RFCs does not guarantee interoperability. Even though several vendors implement RADIUS clients, this does not mean they are interoperable. Cisco implements most RADIUS attributes and consistently adds more. If customers use only the standard RADIUS attributes in their servers, they can interoperate between several vendors as long as these vendors implement the same attributes. However, many vendors implement extensions that are proprietary attributes. If a customer uses one of these vendor-specific extended attributes, interoperability is not possible.
Traffic
Due to the previously cited differences between TACACS+ and RADIUS, the amount of traffic generated between the client and server differs. These examples illustrate the traffic between the client and server for TACACS+ and RADIUS when used for router management with authentication, exec authorization, command authorization (which RADIUS cannot do), exec accounting, and command accounting (which RADIUS cannot do).

Network Load Balancing and IPv6 Ping Timeout

I've noticed interesting behavior with NLB on Windows 2012 R2 and IPv6. I have two systems that use NLB on a Hyper-V cluster, each system is on a different node in the cluster. When I do an IPv6 ping within the same subnet, I notice that the reply time is
normally 1-3ms, but every so often it goes to 100+ms. I also notice that both members of the NLB reply to a ping to the cluster IPv6 address. This is interesting.
When I do a ping to the cluster IPv6 address from a different subnet, I notice that the reply is intermittent. The NLB nodes will either both reply to the ping or both won't. At first I thought that there was an issue with my network, but when I do a span
on the ports that the cluster is attached to, I see that the IPv6 ping packets arrive, but the NLB nodes don't always send a reply.
What is also interesting is that the NLB web farm I have setup seem to be working fine and is not intermittent, so this issue only has to do with ping. Has anyone else seen this type of issue, or is this a bug?
Thanks!

Hi Nathan,
So are you running both IPV6 and IPV4? Do you have any clients that can't connect at all? Just on ping?
The reason I ask is we had a server that was receiving IPV6 fine, but on receiving IPV4 would switch to IPV6 to connect SSL back to the client. Of course the clients never received it and just got a timeout. Funny thing is cell phones had no issue
at all because they were straight IPV6. Only clients with both protocols got the timeout.
So the ack was send back via the wrong protocol and nothing but the timeout is what the client sees. This may be an LLMNR issue. It came out from 2008R2 but think it may still apply
Check this out:
http://technet.microsoft.com/en-us/library/bb878128.aspx
David Perkins
IT Help Point, Inc.

Best way to pass IPv4 and IPv6 traffic over a GRE Tunnel

Hello,
We have two 3825 routers with Advanced Enterprise IOS 12.4.9(T). Each of them serves many IPv4 (private and public) and IPv6 networks on their respective site.
We have created a wireless link between the two, using 4 wireless devices, with IP Addresses 10.10.2.2, 3, 4, 5 respectively (1 and 6 are the two end Ethernet interfaces on the routers).
Then we created a GRE tunnel over this link using addresses 172.16.1.1 and 2 (for the two ends) to route traffic over this link.
Now we want to route IPv6 traffic over the same link. However, we found that simply routing the IPv6 traffic over the above GRE / IP tunnel did not work.
Questions:
Is there a way we can use the same (GRE / IP) tunnel to transport both IPv4 and IPv6 traffic?
If not, can we setup two GRE tunnels over the same wireless link, that is, one GRE / IP for IPv4 traffic and a second one GRE / IPv6 for IPv6 traffic?
In brief, what is the suggested way to transport IPv4 and IPv6 traffic over the aforementioned (wireless) link?
I have read http://www.cisco.com/c/en/us/td/docs/ios/12_4/interface/configuration/guide/inb_tun.html#wp1061361 and other Internet material, however I am still confused.
Please help.
Thanks in advance,
Nick

We have set up two tunnels over the same link, one GRE / IP for the IPv4 traffic and one IPv6 / IP ("manual") for the IPv6 traffic. This setup seems to be working OK.
If there are other suggestions, please advise.
Thanks,
Nick

Firewall and IPv6, how to block ports?

I am using free.fr in France, and IPv6 is enabled as part of the service. There are certain services running that were only accessible to the local network, but I now find that if I know the IPv6 address of the machine they are world accessible. I tried limiting services to be only accessible to the local machine, by adjusting the settings in the Firewall configurations in the system preferences, but the services still seem to be world accessible. Do the firewall configurations ignore IPv6? Is there any way to make it so that services are only available to machines in the local networks via IPv6. I suspect I going to need a command line tool or a third-party tool, but I am willing to deal with this until Apple sorts this out through a security update (please?).
The machine in question is a G4 based PowerMac, so I can't upgrade to 10.5.

Hi Andre,
The machine in question is a G4 based PowerMac, so I can't upgrade to 10.5.
What speed is it? 867
Leopard requirements...
* Mac computer with an Intel, PowerPC G5, or PowerPC G4 (867MHz or faster) processor
minimum system requirements
* 512MB of memory
* DVD drive for installation
* 9GB of available disk space
Not sure on IPv6, since the whole purpose seems to be to pinpoint individual computers to the whole world, but IPFW may still work...
WaterRoof is a firewall management frontend with bandwidth tuning, NAT setup, port redirection, dynamic rules tracking, predefined rule sets, wizard, logs, statistics and other features...
http://www.macupdate.com/info.php/id/23317
See also...
http://oreilly.com/pub/a/mac/2005/03/15/firewall.html
http://tadek.pietraszek.org/blog/2007/05/01/adding-custom-firewall-rules-in-osx/

Tacacs+ and dynamic vlans

Hi,
Is there a good howto or tutorial that shows what settings are required to have dynamic vlan functionality . Using tacacs+ 802.1x/peap I can get a domain user authenticated but I don't follow how the vlan setup / switching should be done. I want all users that fail domain authentication to be put in vlan xxx and if the user does authenticate to be put into vlan yyy (I am using 802.1x PEAP and server side cert only). I am using ACS v3.3, W2k-AD, winXP supplicant , cat5000. Thx in adv.

Yes, you can get the proper documentation at " target="_blank">www.cisco.com/techsupport--------> Products --------> Security ----------> select appropriately to go to Tacacs and click on view all.

WLC and IPv6

Hi All,
has anybody experiences with WLC and IPv6? I have activated the Check Box for IPv6 Support, but it does not work. Regards, Michael

Hi ,
Have you configued uplink router/sw to support ipv6 ; the sample config would look like this
ipv6 unicast-routing
interface FastEthernet0/0.6
encapsulation dot1Q 56
ip address 10.50.56.1 255.255.255.0
ip access-group GNS2 in
ip access-group GNS2 out
ip helper-address 10.50.1.21
ip pim sparse-dense-mode
ip multicast ttl-threshold 1
no snmp trap link-status
ipv6 address 2006::/64 eui-64
ipv6 address autoconfig
ipv6 enable
let me if this works for you or not
regards
Seema

FWSM: AAA authentication using TACACS and local authorization

Hi All,
In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
We have created users on TACACS and not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list". I have specifically mentioned this
"privilege show level 1 mode exec command access-list" in the config.
Is there anything i am missing or is there any other way of doing it?
Thanks.

You cannot do what you are trying to do. For (default login you need to use the first policy matched.
you can diversify telnet/ssh with http by creating different aaa groups.
But still you will be loging in for telnet users (all of them) using one method.
I hope it is clear.
PK

U-verse, Time Capsule and IPv6

Can anyone recommend the best settings related to IPv6 when using ATT U-verse and Time Capsule? Time Capsule is set-up in Bridge Mode and IPv6 enabled on U-Verse Modem/Router.
Should IPv6 be set to Automatic or Link-Local on Time Capsule or should I disable IPv6 all together?

Because the other settings either do not work, or do not work reliably.....but Apple is "working on it".

ZBF in a mixed ipv4 and ipv6 environment, don't touch ipv4

I have a dual stacked router for both ipv4 and ipv6. Ipv4 traffic should pass the zbf untouched due to the fact that there is another rock solid ipv4 firewall egress of the inside Interface. Is there a way that a class map like this could function on ipv6 traffic only?:
class-map type inspect match-any fullproto
description Permitted Traffic to internet
match protocol http
match protocol https
match protocol dns
match protocol imaps
match protocol icmp
match protocol ftp
match protocol ntp
match protocol rtsp
match protocol realmedia
match protocol netshow
match protocol appleqtc
match protocol streamworks
match protocol vdolive
match protocol ssh
match protocol user-rdp
So far there is only a CBAC solution in place for ipv6.
I'm showing my Interfaces:
interface FastEthernet0/0
description *** Inside IPV6 ***
no ip address
speed auto
full-duplex
ipv6 address FE80::1 link-local
ipv6 address ????:????:????:10::1/64
ipv6 nd other-config-flag
ipv6 dhcp relay destination ?:?:?:10::12
ipv6 traffic-filter inne6-inn in
no cdp enable
no mop enabled
interface FastEthernet0/0.4
description *** Inside IPV4 ***
encapsulation dot1Q 4
ip address 82.?.?.129 255.255.255.248
no cdp enable
interface FastEthernet0/1
description *** Outside ***
ip address 82.?.?.42 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
speed auto
full-duplex
ipv6 address FE80::2 link-local
ipv6 address ?:599::2/126
ipv6 enable
ipv6 nd prefix default no-advertise
ipv6 nd prefix ?:599::/126 no-advertise
ipv6 nd managed-config-flag
ipv6 nd other-config-flag
ipv6 nd router-preference High
ipv6 inspect ipv6-cbac out
ipv6 traffic-filter ut-inn6 in
no cdp enable
no mop enabled
Please advise.
Regards,
Henning

I didn't test it, but what about the following:
Configure a new class-map where you match on an ipv6 access-list "any to any"
Configure a third class map of type ""match all" where you match on your "fullproto" class-map and also the above ipv6 class-map. For this class map you configure your inspections.
For ipv4-traffic you configure a class with a "pass" action in both directions.

Jpcap and ipv6 ?

Hi everybody,
I have to send and receive IPv6 packets. So I tried to use jpcap, and I encountered a problem : I can send ipv4 packets but when I try to send an ipv6 packet I get an error :
java.io.IOException: only IPv4 packet is supported
at jpcap.JpcapSender.sendPacket(Native Method)
I send an IPPacket which can be filled with ipv4 and ipv6. Is this impossible or do I make a mistake ?
Bests regards,
Tycho

pealse can you post the code allowing sending the packages IP v4
because me I have probleme with these packet

E1200 PPPoE and IPv6

Have a v2 E1200. Connect with PPPoE to ISP. IPv4 works fine. With firmware included on router, 2.0.01, it would receive a /64 of IPv6 from the ISP. This /64 would show up under 'status' / 'local network'. Although it did not seem to advertise this space to PC's on my network so I was unable to use it. I updated firmware to 2.0.04. Now it does not even pick up the IPv6 /64 at all.
Anyone have PPPoE and IPv6 working? Anywhere I can download 2.0.01 to try it again?
Is there a model of router that actually works with IPv6?

Usually you have to power cycle both the modem and router to get it to work. Manual 6rd tunnel works on E4200v2/EA4500 with DSL PPPoE . Auto tunnel doesn't work with my connection, but it might with yours.
If you have AT&T, here's the 6rd info.
http://www.att.com/esupport/article.jsp?sid=KB414401&cv=801&title=IPv6%20compatibility%20for%20IFITL...
Also, if your internet connection type is PPPoE, you should always check your MTU. More than likely you'll need to set it manual and enter the appropriate mtu.
For ADSL PPPoE, the MTU is 1492.
http://homekb.cisco.com/Cisco2/GetArticle.aspx?docid=266cc1c7b97c458fb04c2da21f985828_List_of_Common...

Problems getting TACACS and SNTP to cork on CSS11500

Hi,
I have a problem with TACACS and SNTP on a pair of CSS11501s and a pair of CSS11503s
I have configured a TACACS server and an SNTP server which are accessable out the management interface. There is a route to these devices out the management interface. They aren't pingable but if I span the management port and sniff it I can see the ICMP requests leaviong th interface if I try to ping any of them. The problem is that the device sends no SNTP packets to the server and it never sends any packets to TACACS server on the management or any of the other ports - it's as if both services are somehow disabled. I did some debugging as per doc 27000 on CCO and I do get the message "SECURITY-7: Security Manager sending error 7 reply to xyz" which the doc suggests is a key mistmatch, but I don't think it can be as the device isn't even trying to connect to the TACACS server on port 49.
Am I missing something obvious?
I've pasted the relevant parts of the config below
Thanks in advance,
Dom
lab-fe-2# show run
!Generated on 11/20/2009 09:40:18
!Active version: sg0820303
configure
!*************************** GLOBAL ***************************
sntp primary-server 10.52.240.1 version 3
sntp secondary-server 10.52.240.2 version 3
virtual authentication primary tacacs
virtual authentication secondary local
tacacs-server key xxxxxxxxxxxxx
tacacs-server 10.52.255.201 49
ip management route 10.52.240.0 255.255.240.0 10.55.2.252
ip route 0.0.0.0 0.0.0.0 10.55.3.254 1
!************************* INTERFACE *************************
interface e1
bridge vlan 2503
phy 100Mbits-FD
interface e2
bridge vlan 2004
phy 100Mbits-FD
interface Ethernet-Mgmt
phy 10Mbits-FD
!************************** CIRCUIT **************************
lab-fe-2# show boot
!************************ BOOT CONFIG ************************
ip address 10.55.2.245
subnet mask 255.255.255.0
primary boot-file sg0820303
primary boot-type boot-via-disk
gateway address 10.55.2.252
lab-fe-2#
lab-fe-2# show tacacs-server
Per-Server Status:
IP/Port              State   Primary        Authen.      Author.      Account
10.52.255.201:49     Dead    No                   0            0            0
Totals:                                           0            0            0
Per-Server Configuration:
IP/Port              Key              Server Timeout        Server Frequency
10.52.255.201:49     Not Configured   None                  None
Global Configuration Parameters:
Global Timeout:                5
Global KAL Frequency:          5
Global Key:                    Configured
Authorize Config Commands:     No
Authorize Non-Config Commands: No
Account Config Commands:       No
Account Non-Config Commands:   No
Send Full Command:             Yes
end of buffer.
lab-fe-2#
lab-fe-2#
lab-fe-2#
lab-fe-2#

I have got to the bottom of this, It looks like the CSS cannot authenticate users using a TACACS server
over the management interface unless the TACACS server is located on the same subnet as the management interface;
The Ethernet management port provides a connection to the CSS that allows you to perform CSS management functions. The Ethernet management port supports management functions such as secure remote login through SSH, remote login through Telnet, file transfer through active FTP, SNMP queries, HTTPS access to the Device Management user interface, SNTP, DNS, ICMP redirects, RADIUS, syslog, CDP, TACACs, and CSS configuration changes through XML.
Note When using static routes for managing the CSS from subnets beyond the management LAN, the Ethernet management port supports the management applications listed above, except CDP, DNS, SNTP, and TACACs. For more information on static routes, see the "Configuring Static Routes for the Ethernet Management Port" section.
I'm going to have to configure NAT on the Management port's gateway device so the CSS thinks the TACACS server is on the same subnet.
The confusing thing about this is that this is documented up to version 7.40, but it's not mentioned in the documentation for 7.5, 8.1 or 8.2 and neither is it mentioned that it is supported in the release notes of any of those versions.
Cheers, Dom

TACACS+ and IPv6

Similar Messages

Maybe you are looking for