Tacacs VRF authentication

Question

We just got a new Supervisor7 with os 3.4.1. I'm trying to configure authentication with tacacs, and I can't understand how to make it work. This configuration works on our other switches, but it doesn't work on this 4500.

aaa new-model
username cisco privilege 15 secret 5 $1$qLGb$VQ7BdaJEpzGFqPeC979Uh1
tacacs-server host 10.4.25.8 key ourKeyIsSecret
aaa authentication login default group tacacs+ local
line vty 0 15
 login authen default

We can only login with the fallback password. The switch is not even trying to contact tacacs.

Can anyone help?

Answer 1

This configuration works on our other switches, but it doesn't work on this 4500.

You're using the on-board Sup7 FastEthernet port, so this is your problem:

aaa authentication login default group tacacs+ local
                                 ^^^^^^^^^^^^^

The Sup7 OOB port is in a VRF; therefore, you have to configure Tacacs+ in a VRF

aaa new-model
!
no tacacs-server host 10.4.25.8
!
aaa group server tacacs+ TacacsVrf
  server-private 10.4.25.8 key 7 ourKeyIsSecret
  ip vrf forwarding mgmtVrf
  ip tacacs source FastEthernet1
!
aaa authentication login default group TacacsVrf local

Answer 2

This is a part of the config I am using on 4506 running 12.2

username failsafe secret [local password]
aaa new-model
!
!
aaa authentication attempts login 3
aaa authentication fail-message ^Your fail message here.^
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated 
aaa accounting exec default start-stop group tacacs+
! 
!
!
aaa session-id common
tacacs-server host [IP address]
tacacs-server timeout 10
no tacacs-server directed-request
tacacs-server key [key]

Nothing on VTY for login. Hope it helps.