Wired Intelligent Edge

I'm trying to authenticate against a TACACS server group on a MAS.  Despite configuring the RADIUS source interface and NAS IP to the loopback, the switch uses a random SVI as it's source TACACS interface.  This should either be configurable like the RADIUS source or it should automatically use the RADIUS source interface.  Any way of getting this to work currently without having to add addditional device IPs/Keys to my TACACS server?

Thecompnerd,

We currently do not have a command to set the source interface for Tacacs (same with Mobility Controllers). However you should be able to modify the switch/controller IP and traffic should be sourced from there. If you issue "show switch ip", does it display the random SVI you mentioned?

(host) #show switch ip

Switch IP Address: 10.73.4.202

Switch IP is configured to be Vlan Interface: 4

If so, go to the IP-Profile and set "controller-ip interface vlan X" so that it uses the RVI you want it to.

If you are using Tunneled-Node, making a change to the controller-ip may have an impact as that is also the interface that the GRE is sourced from so make sure that your Mobility Controller can get to that IP as well from a routing perspective.

Best regards,

Madani

No, the TACACS packets are being sourced from a different SVI.  The "controller ip" is set as the loopback interface.

Edit ----

I should mention that I do have this configuration working at another campus, but I'm using an SVI rather than a loopback as the controller ip.

Hmm, I'll have to verify with engineering the behavior. Shame on me for not testing first.

Even though this does not help you in the near term, I recommened you vote for support of a tacacs source interface knob. Here is the idea portal entry I have on this.

https://na2.salesforce.com/ideas/viewIdea.apexp?id=08740000000LEXl

No problem.  The controller IP interface would be a decent enough workaround if it worked correctly.  I don't mind submitting a feature request.  Your link above doesn't work for me.

So just to confirm, when the controller-ip on this one stack is set to a loopback TACACS does not source from this interface but stacks where you have controller-ip set to an RVI/SVI, it does. Is that correct?

Also try to go to this link:

https://arubanetworkskb.secure.force.com/cp/ideas/ideaList.apexp

Then you should be able to change the category and set it to Mobility Access Switches, the third or fourth idea should be for TACACS.

Best regards,

Madani

That's correct.  We aren't tunneling any nodes on anhy of our stacks, so assuming changing the controller-ip to an SVI won't have any other affect I may change it just as a test.

Thanks - I just voted up the idea.

I tested changing the controller-ip to several different SVIs on the switch and it's still not working.  The switch continues to use this one SVI regardless of the controller-ip I set.  I'll open up a ticket with TAC.

I managed to get this working by changing the metric to a higher number on the erroneous interface. No other solution seemed to work.