topic Re: ANM 5.2 authentication failure in Application Networking

ANM 5.2 authentication failure

mello.thiago — Tue, 16 Apr 2013 12:29:45 GMT

Hi everyone,

I'm using the Cisco ANM 5.2 version and I'm trying to import the configurations from ACE modules of Cisco switches. The first step is to import the configuration from Cisco switch and the second one is to import the ACE module in the ANM software. I'm getting an authentication problem to import the configuration from Cisco switch and of course I cannot import the ACE as well. The switches and the ACE are using AAA authentication and I have created a specific username to authenticate and import the configurations in the ANM. If I remove the AAA configurations from the switches and ACE modules it works fine.

Has everyone some idea? Is there some problem with the AAA configurations in the switches or ACE module?

Thanks

ANM 5.2 authentication failure

Bilal Nawaz — Tue, 16 Apr 2013 13:02:58 GMT

Hello, Are you using tacacs+ ?

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Re: ANM 5.2 authentication failure

mello.thiago — Tue, 16 Apr 2013 16:39:23 GMT

Yes, I'm using tacacs+

Follow bellow the tacacs configuration from my switch:

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication login no_tacacs enable

aaa authorization exec default group tacacs+ none

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

aaa new-model

aaa authentication login default group tacacs+ enable

aaa authentication login no_tacacs enable

aaa authorization exec default group tacacs+ none

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ none

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 0 default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting network acct_methods start-stop group rad_acct

aaa session-id common

Re: ANM 5.2 authentication failure

Bilal Nawaz — Tue, 16 Apr 2013 17:27:47 GMT

So I assume that ACS has been set up correctly to allow authentication? Can you confirm this please or show us the configurations made in ACS to allow aaa to work.

Sent from Cisco Technical Support iPhone App

ANM 5.2 authentication failure

mello.thiago — Wed, 17 Apr 2013 01:27:02 GMT

Yes, the ACS is configured correctly. The username and password that I set up there can authenticate with any device in my environment through telnet or ssh.

Re: ANM 5.2 authentication failure

Bilal Nawaz — Wed, 17 Apr 2013 08:23:28 GMT

Hello,

I would configure like this:

aaa new-model

aaa group server tacacs+ TACACS+

server x.x.x.x

aaa authentication login TACACS+ group tacacs+ group radius local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ local

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

tacacs-server host x.x.x.x

tacacs-server directed-request

tacacs-server key 7 XXXXXXXXXXXXX

Where the tacacs-server key is the AAA key specified in ACS

line vty 0 4

line vty 5 15

password 7 XXXXXXXXXXXXXX

This is only the 6500 configuration, The ACE is a bit different and more complex in ACS as the shell profile needs to be tweaked to get it working.

Lets just get tacacs working on the switch for now...

Please rate useful posts and remember to mark any solved questions as answered. Thank you.

Re: ANM 5.2 authentication failure

mello.thiago — Wed, 17 Apr 2013 12:40:19 GMT

I tried this configuration on the switch but it doesn't work.

I getting the same error in the ANM software as show above. The message is about a problem with authentication credentials. I have applied the configuration that you told me on the switch, the same username that I set up in the ACS and ANM works fine through telnet with this config.

Re: ANM 5.2 authentication failure

Bilal Nawaz — Fri, 19 Apr 2013 19:50:20 GMT

So I think I understand, TACACS+ is working for the 6500 and the ACE module, but its not working for the ANM...?

If so, this document might be able to help you:

http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/5.2/user/guide/UG_admin.html

Best regards

Please rate useful posts and remember to mark any solved questions as answered. Thank you.