VRF support for TACACS+
An overview of VRF support for TACACS+ and configuration examples.
TACACS+ must run on a single routing instance. When you configure TACACS+ without specifying an instance, the TACACS+ servers start in the default routing instance. If you specify a nondefault routing instance, you must verify that all TACACS+ servers configured for AAA are reachable from the same routing instance.
- routing instance = BLUE
- TACACS+ servers 10.10.30.24 (TAC-1) and 10.10.30.25 (TAC-2)
- secret = secured
In the following example, the TACACS+ servers start in the default routing instance.
vyatta@R1# set system login tacplus-server 10.10.30.24 secret secured
vyatta@R1# set system login tacplus-server 10.10.30.25 secret secured
vyatta@R1# commit
vyatta@R1# run show configuration
system {
login {
tacplus-server 10.10.30.24 {
secret "********"
tacplus-server 10.10.30.25 {
secret "********"
}
user vyatta {
authentication {
encrypted-password "********"
}
level superuser
}
}
}
The following example shows how to configure the same servers to run in the BLUE routing instance.
vyatta@R1# set routing routing-instance BLUE system login tacplus-server 10.10.30.24 secret secured
vyatta@R1# set routing routing-instance BLUE system login tacplus-server 10.10.30.25 secret secured
#commit
#run sh configuration
routing {
routing-instance BLUE {
system {
login {
tacplus-server 10.10.30.24 {
secret "********"
tacplus-server 10.10.30.25 {
secret "********"
}
}
}
}
}
For more information about TACACS+ and configuring TACACS+, see Ciena Vyatta Network OS Basic System Configuration Guide.