Setting the IP Source Address for TACACS+ Messages

Setting the IP Source Address for TACACS+ Messages Problem You want the router to use a particular source IP address when sending TACACS+ logging messages. Solution The ip tacacs source-interface configuration command allows you to specify a particular source IP address for TACACS logging messages: Router1#configure terminal Enter configuration commands, one per line. End with CNTL/Z. Router1(config)#ip tacacs source-interface Loopback0 Router1(config)#end Router1# Note that implementing this command will not only affect AAA accounting; it will also affect AAA authentication and AAA authorization. Discussion Normally, when you enable TACACS+ on a router, the source IP addresses on the messages that it sends to the TACACS+ server will be the address of the router's nearest interface. However, this is not always meaningful. If there are many different paths to the server, the router could wind up sending messages through different interfaces. On the server, then, these messages usually will look like they came from different routers, which can make it difficult to analyze the logs. However, if you use a loopback address for the source, all messages from this router will look the same, regardless of which interface they were delivered through. In many networks, the DNS database only contains these loopback IP addresses, which helps make the logs more useful as well. We strongly recommend using this command. See Also