Routing
Highlighted
Routing

TACACS Auth via VRF?

‎10-25-2017 06:39 AM

MX platform. I've found that if the route to the TACACS server is via a VRF, TACACS authentication does not work. There is no routing-instance option under the [system tacplus-server] config. There is no TACACS config available under the VRF instance either. I can ping the TACACS server only when sourced from the routing-instance. So IP reachability to the TACACS server is not the issue. I have a JTAC case open but it's slow moving. 

 

I found this post from 2011, so I'm curious if this is accurate and if there is a work around I can implement. 

https://forums.juniper.net/t5/Junos/Tacacs-within-VRF-routing-instances/td-p/76378

7 REPLIES 7
Highlighted
Routing

Re: TACACS Auth via VRF?

‎10-25-2017 11:22 AM

Hi dbird,

TACACs+ server has to be reachable from the global routing table. you can try the below option to acheive this

 

1. leak the server address from routing-instance to global table and the source address you can use from global instance that address

should be reachble from server. So again leak the route from global table (only source address) to routing instance.

 

i.  set routing-options static route <server ip> next-table RI.inet.0

ii. set routing-instance routing-option static route <global instance source address> next-table inet.0

Make sure tacacs have reachability back to router global instance source address.

 

2. After mutual route leak server will be reachable via the global instance and it will start authenticate.

 

Hope this helps

Mark this as solution if it helps

Kudos always appreciated 

 

 

 

Highlighted
Routing

Re: TACACS Auth via VRF?

‎10-25-2017 07:51 PM

you can do it in following way...

 

set system tacplus-server x.x.x.x secret < >
set system tacplus-server x.x.x.x
set system tacplus-server x.x.x.x source-address <ip of lo0.1>

set interfaces lo0.1 family inet address y.y.y.y

set routing-instances RI1 interface lo0.1

set routing-options static route x.x.x.x no-resolve

set routing-options static route x.x.x.x next-table RI1
set routing-options static route x.x.x.x no-readvertise
****************************

Make sure that your Routing instance should have a route to reach TACPLUS.

 

Mark this solution as accepted if it resolved your issue..

Kudos would be appreciated too..

 


*************************************
HTH.
Accept this as solution if it resolved your issue.
Kudos would be appreciated too.
Highlighted
Routing

Re: TACACS Auth via VRF?

‎10-26-2017 07:27 AM

vvadivel,

 

commit fails "next-table may loop"

Highlighted
Routing

Re: TACACS Auth via VRF?

‎10-26-2017 07:28 AM

Does not work. I see the route in the global, but no TACACS (tcp port 49) leave the router. No change essentially.

Highlighted
Routing

Re: TACACS Auth via VRF?

‎10-26-2017 09:20 PM
Then you may leak the route from VRF table to inet.0 for tacplus reachability using ribs and solve your issue. Pl mark this as accepted solution if it resolved issue. Kudos would be appreciated too.

*************************************
HTH.
Accept this as solution if it resolved your issue.
Kudos would be appreciated too.
Highlighted
Routing

Re: TACACS Auth via VRF?

‎11-06-2019 11:54 PM

This is an old topic but still relevant.

 

Leaking global routes into the routing instance is only possible if the global table has the routes for the destinations. Another solution is to reverse the interfaces into a routing instance. The customer/internet traffic is kept separated from management and all functions work... tacacs, ntp, snmp, etc.

 

* BEFORE

inside/outside  -->  global

management  -->  routing instance

 

* AFTER

inside/outside  --> routing instance

management  -->  global

 

 

Highlighted
Routing

Re: TACACS Auth via VRF?

‎11-07-2019 01:19 AM

Hello,

 

No need for complex workarounds anymore Smiley Very Happy

 

In JUNOS 18.2+, one can configure TACACS to work inside VRF

https://www.juniper.net/documentation/en_US/junos/information-products/topic-collections/release-not...

 

Existing TACACS+ behavior is made VRF aware (MX Series)—Starting in Junos OS Release 18.2R1, the routing-instance statement at the [edit system tacplus-server server-address] hierarchy level and [edit system accounting destination tacplus server server-address] hierarchy level can now be used to configure any routing instance present at the [edit routing-instances] hierarchy level. 

HTH

Thx

Alex

_____________________________________________________________________

Please ask Your Juniper account team about Juniper Professional Services offerings.
Juniper PS can design, test & build the network/part of the network as per Your requirements

+++++++++++++++++++++++++++++++++++++++++++++

Accept as Solution = cool !
Accept as Solution+Kudo = You are a Star !
Feedback