December 2006
Intermediate to advanced
1188 pages
72h 8m
English
Content preview from Cisco IOS Cookbook, 2nd EditionBecome an O’Reilly member and get unlimited access to this title plus top books and audiobooks from O’Reilly and nearly 200 top publishers, thousands of courses curated by job role, 150+ live events each month,
Start your free trial
Setting the IP Source Address for TACACS+ Messages
Problem
You want the router to use a particular source IP address when sending TACACS+ logging messages.
Solution
The ip tacacs source-interface configuration command allows you to specify a particular source IP address for TACACS logging messages:
Router1#configure terminalEnter configuration commands, one per line. End with CNTL/Z. Router1(config)#ip tacacs source-interfaceRouter1(config)#Loopback0endRouter1#
Note that implementing this command will not only affect AAA accounting; it will also affect AAA authentication and AAA authorization.
Discussion
Normally, when you enable TACACS+ on a router, the source IP addresses on the messages that it sends to the TACACS+ server will be the address of the router’s nearest interface. However, this is not always meaningful. If there are many different paths to the server, the router could wind up sending messages through different interfaces. On the server, then, these messages usually will look like they came from different routers, which can make it difficult to analyze the logs.
However, if you use a loopback address for the source, all messages from this router will look the same, regardless of which interface they were delivered through. In many networks, the DNS database only contains these loopback IP addresses, which helps make the logs more useful as well.
We strongly recommend using this command.