topic Re: AAA TACACS NEXUS doesn't work in Network Access Control

AAA TACACS NEXUS doesn't work

karimbruxelles — Mon, 11 Mar 2019 01:06:58 GMT

Hi,

I m trying to setup a Tacacs config onto my new NEXUS 5000 series

Nevertheless the authentication doesn't work

Actually I followed the config guide but something is not working or missing

I have setup everything through VMWARE with ACS installed on a Windows server

here is some of my config

My NEXUS Switch

IP 192.168.254.207

sh run | i aaa

aaa group server tacacs+ bporama

aaa authentication login default group bporama

aaa authentication login console local

sh run | i tacacs

feature tacacs

tacacs-server key 7 "XXXXX"

tacacs-server host 192.168.254.245 key 7 "XXXXX"

ping from Switch to the ACS

64 bytes from 192.168.254.245 icmp_seq=0 ttl=127 time=3.609

telnet 192.168.254.245 49

connected to 192.168.254.245.

Escape

Debug %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed

the user kar has been created on the ACS

so what't wrong?? something is missing??? can you please and advise

Regards,

Karim Brussels

Re: AAA TACACS NEXUS doesn't work

andamani — Fri, 27 May 2011 15:58:30 GMT

Hi,

Can you please confirm if the tacacs servers are in the tacacs group?

command " show tacacs-server groups " will help you.

please ensure that the configuration is similar as in the guide and also using the correct Vrf.

http://www.cisco.com/en/US/docs/switches/datacenter/nexus5000/sw/configuration/guide/cli/sec_tacacsplus.html#wp1272988

Hope this helps.

Regards,

Anisha

P.S.: please mark this mail as answered if you feel your query is resolved. Do rate helpful posts.

Re: AAA TACACS NEXUS doesn't work

karimbruxelles — Mon, 30 May 2011 12:31:16 GMT

Hi Anisha,

thanks for this but it still doesn't work, we have a couple of IOS switch and all are working fine with Tacacs through ACS

however with Nexus it is another story....

My interface vlan XXX is the mgt interface so why shall I select "use-vrf management under aaa group server tacacs+ Name_of_Group???

I get always the same msg error authenticating to server status 7

also into the ACS the logs are telling me then my

any idea?

Karim

Re: AAA TACACS NEXUS doesn't work

andamani — Tue, 31 May 2011 00:24:04 GMT

Hi,

Nexus works on vrf's and roles. Hence i asked you to define the vrf. by default it is possible that the authentictaion request is exiting via a different vrf and hence not reaching the ACS server.

What do you see on the ACS server ?

Hope this helps.

Regards,

Anisha

P.S.:please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

Re: AAA TACACS NEXUS doesn't work

Ben Alex — Thu, 02 Jun 2011 15:55:56 GMT

Karim:

Did you fix the issue. Please share as I am having the same problem.

Mine is very weird cos it has been working for 4 weeks and suddenly it stopped.

My ACS is pingagle and I am using gthe default vrf.

2011 Jun 2 11:27:10.592 nx5548-14 %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond

2011 Jun 2 11:27:31 nx5548-14 last message repeated 2 times

2011 Jun 2 11:27:31 nx5548-14 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user xxx

2011 Jun 2 11:28:13.975 nx5548-14 %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond

Re: AAA TACACS NEXUS doesn't work

karimbruxelles — Thu, 02 Jun 2011 16:07:27 GMT

Hi Ben,

Two actions did resolve my problem

first of all ip tacacs server was no set on the global config and for unknow reason I had to create a new user id on the ACS it did not work with the previous accounts

I m off but if you wait until Monday I can sent you the all of the config step by step

let me know

Karim

ps: try the test aaa xxxxx command it is very helpful

Re: AAA TACACS NEXUS doesn't work

Ben Alex — Thu, 02 Jun 2011 18:11:20 GMT

I reloaded one of my 4 nexuses without any modifications and it now works. I will not reload the other 3 until I fully understand what is going on.

I don't want this to happen in 4 weeks again since I will go in full production.

Sure I can wait till Monay.

Thanks

Re: AAA TACACS NEXUS doesn't work

karimbruxelles — Mon, 06 Jun 2011 13:27:53 GMT

Hi Ben,

here is my config

N12-BKP# sh run aaa all

!Command: show running-config aaa all

version 5.0(3)N1(1c)

aaa authentication login default group bporama

aaa authentication login console local

aaa authorization ssh-publickey default local

aaa authorization ssh-certificate default local

aaa authorization config-commands default local

aaa authorization commands default local

aaa accounting default group bporama

no aaa user default-role

aaa authentication login default fallback error local

aaa authentication login console fallback error local

no aaa authentication login error-enable

no aaa authentication login mschap enable

no aaa authentication login mschapv2 enable

no aaa authentication login chap enable

no aaa authentication login ascii-authentication

no radius-server directed-request

tacacs-server directed-request

N12-BKP# sh run tacacs+ all

!Command: show running-config tacacs+ all

!Time: Mon Jun 6 15:26:32 2011

version 5.0(3)N1(1c)

feature tacacs+

tacacs-server key 7 "elsgho"

ip tacacs source-interface Vlan777

tacacs-server test username test password test idle-time 0

tacacs-server timeout 5

tacacs-server deadtime 30

tacacs-server host 192.168.254.245 key 7 "XXXXXX" port 49 timeout 30

aaa group server tacacs+ bporama

server 192.168.254.245

use-vrf default

source-interface Vlan777

Re: AAA TACACS NEXUS doesn't work

Ben Alex — Mon, 06 Jun 2011 14:41:03 GMT

Thanks.

Guess what.

Ciscoworks LMS is actually the culprit.After reload AAA works back.

And as soon as LMS is trying to discover the nexus, the AAA fails.

LMS is version 3.2

Re: AAA TACACS NEXUS doesn't work

karimbruxelles — Mon, 06 Jun 2011 15:15:01 GMT

Today I had the same issue unable to logon to my nexus through Tacacs and indeed I have got the same LMS version 3.2!!!!

I will reload LMS tonight and check if I can acces my devices

Thanks for the info

Karim

Re: AAA TACACS NEXUS doesn't work

Ben Alex — Thu, 09 Jun 2011 15:51:16 GMT

Karim:

let me know how it goes. On our side the Nexus were reloaded to restore AAA.

We are not using LMS until this is fixed. We are trying to fix some paperwork before able to open a TAC Case.

It could be simply the LMS version.

Appreciate if you keep me in the loop. I will also update you.

Re: AAA TACACS NEXUS doesn't work

karimbruxelles — Fri, 10 Jun 2011 08:26:43 GMT

Hi Alex,

Sorry for the delay, finally I found my problem and a workaround

On my case sometimes I can't ping or telnet my TACACS (ACS), when I type the command

show ip arp vlan XXX (mgmt VLAN) I get some physical address and some other VRRP address.

all the VRRP addresses doesn't work and my TACACS server have got another address on another VLAN and the FW is NATING the TACACS address and therefore I get a VRRP address on my nexus for the tacacs...so I did add an arp mac entry into my mgmt interface VLAN and then it works. However that's not finished one other thing is even strange...I shut my VPC between the two NEXUS and I remove the static arp enty and then it works again even if my mgmt VLAN is not passing through the VPC and bearn in mind then my mgmt vlan is layer 2 excl.!!!!!! Do you follow me or? I will open a case with Cisco

I will keep you informed....

Take care

Karim Brussels

Re: AAA TACACS NEXUS doesn't work

Ben Alex — Fri, 10 Jun 2011 13:58:02 GMT

Karim:

Try to enable peer gateway under the vpc domain.

Re: AAA TACACS NEXUS doesn't work

Pekka Majuri — Thu, 08 Dec 2011 11:10:36 GMT

Hello we faced similar problem with onf Nexuses 5548P we have. In this environment we are using ACS appliance with 5.2. and it has been working for months now. Now this one 5548P does not send out TCP/49 Tacacs query to the ACS, althought it has not changed nor other chages done.

We took TCPdump, as well as from the 5548P debug aaa, and ffrom the dump we obtained, that the 5548 do not send out any packet (syn) to the tacacs+ server.

When there is no packets going out, the tacacs+ authentication fails, and only the locally configured admininstravite users can logon (the aaa is able to pick a next method: local correctly).

From the Log I got two messages:

2011 Dec 1 11:47:08.630 sw01 %TACACS-5-TACACS_SERVER_STATUS: TACACS+ server 10.11.22.33 with auth-port 49 and acct-port 49 status has changed from UNMONITORED STATE to DEAD STATE. Server was in previous-state for N/A, and total dead time of the server is N/A

2011 Dec 1 11:47:08.630 sw01 %TACACS-5-TACACS_MONITOR_STATUS: Tacacs+ server 10.11.22.33 with auth-port 49 and acct-port 49 is now being monitored for interval 60 minutes. The server is currently marked DEAD

these Nexuses are running version 5.0(3)N2(2a)

Is the any option to get this TACACS server to UP-AND-RUNNING state, without reload?

Rgds, Pekka

Re: AAA TACACS NEXUS doesn't work

karimbruxelles — Thu, 08 Dec 2011 13:04:46 GMT

Hi,

first of all sorry for the delay, my mgmt VLAN doesn't exist into the nexus switches nevertheless it is configured on the VRF mgmt for security issue and if your switches goes down you still have a access onto the devices

1) Connect your mgmt link/cable onto the physical interface mgmt 0 in the NEXUS

2) show running-config | i vrf

vrf context management

3) configure the inteface on the vrf mgmt

show running-config interface mgmt0

version 5.0(3)N1(1c)

interface mgmt0

ip address 192.168.254.207/24

4) ping an ip on the same MGMT vlan

ping 192.168.254.208 vrf management

PING 192.168.254.208 (192.168.254.208): 56 data bytes

64 bytes from 192.168.254.208: icmp_seq=0 ttl=254 time=0.711 ms

AAA TACACS NEXUS doesn't work

Pekka Majuri — Fri, 09 Dec 2011 09:54:50 GMT

No worry about the delay, these Nexus 5548P switches are in such a physical environment, that we could not do some of your task you suggested, unfortunately. Anyway they do not solve the question, is there any other methor to get it work.

I even removed the existing tacacs+ configuration from the box, then I re configured it (by using the configuration statemens used for these working ones), no help.

As earlier said in my post, that the Nexus 5548P stopped to send out any outbound tcp/49 tacacs+ session requests. (this were obtained from the tcpdump taken from firewall, which is def.gateway for Nexus management).

when trying to logon (with tacacs userid/pw) the following error message is resulted to gatekeeper (SSH) session establishment when entring the UID + strong password....

Remote AAA servers unreachable_local authentication failed.png

A 2-4

we do use mgmt vrf for VPC peer, not for the box management. the management interface is SVI, which has a firewall (not changed) as a Gateway, and all the other sessions, logging to the external security log servers, NTP, ssh, and things like incoming/outgoing ssh sessions are working well, but no any tacacs request is leaving the box.

The version we are running: version 5.0(3)N2(2a) (bootflash:/n5000-uk9.5.0.3.N2.2a.bin) since beging of November.

Satisfactions from the N 5548 boxes are somewhat the only good thing is the price of the 10G interface port, which is not a cheap, but more a less expensive the Catalyst 6500s have.

AAA TACACS NEXUS doesn't work

awatson20 — Wed, 14 Mar 2012 20:43:07 GMT

Pekka Majuri ,

I am experiencing the exact problem you describe on the Nexus 5548 with TACACS. Did you ever get this resolved?

Thanks.

AAA TACACS NEXUS doesn't work

karimbruxelles — Thu, 15 Mar 2012 09:01:16 GMT

1) Connect your mgmt link/cable onto the physical interface mgmt 0 in the NEXUS(

2) show running-config | i vrf

vrf context management

3) configure the inteface on the vrf mgmt

show running-config interface mgmt0

version 5.0(3)N1(1c)

interface mgmt0

ip address 192.X.X.X/24

4) ping an ip on the same MGMT vlan

ping 192.X.X.X

vrf management

PING 192.X.X.X

(192.X.X.X): 56 data bytes

64 bytes from 192.X.X.X: icmp_seq=0 ttl=254 time=0.711 ms

Command: show running-config aaa

!Time: Thu Mar 15 09:58:05 2012

version 5.1(3)N1(1)

logging level aaa 5

aaa authentication login default group bporama

aaa authentication login console local

aaa accounting default group bporama

no aaa user default-role

tacacs-server directed-request

N11-BKP# sh running-config tacacs+

!Command: show running-config tacacs+

!Time: Thu Mar 15 09:58:11 2012

version 5.1(3)N1(1)

feature tacacs+

logging level tacacs 5

tacacs-server key 7 "XXXX"

tacacs-server deadtime 30

tacacs-server host 192.X.X.X

aaa group server tacacs+ bporama

server 192.X.X.X

use-vrf management

source-interface mgmt0

N11-BKP#

AAA TACACS NEXUS doesn't work

Pekka Majuri — Thu, 15 Mar 2012 09:22:47 GMT

No, the problem with the tacacs query (which didn't leave a nexus switch) were not solved, however my circumvention were reload the switch (luckyly we have fully redundant environment, where this problem exists). Personally my opinion is that the aaa subsystem state machine looked to have a problem to call tcp socket functios, but I could not prove any details to point it out to be there. And it looks like that this problem occurs quite a seldom, probably the process tread is going to be locked somehow by the kernel process causing aaa to hang with tacacs queries.

Since we reloaded the switch in problems, this has not yet happened again (still same aaa configuration in it), so we have not obtained what ever material needed for TAC. But if the problem faced again, we will open a TAC case to address the problem...

Are you also running the 5.0(3)N2(2a) in your Nexus switch or do you already run newer one? I hope you could reload the switch you have problem, to circumvent pb.

Re: AAA TACACS NEXUS doesn't work

Tim Lane — Mon, 13 May 2013 23:11:42 GMT

Hello,

thought I'd add to this thread given that we also experienced the problem of the tacacs query not leaving the switch on a Nexus 7K (C7010, NXOS version 5.2(5)) and resolved it without requiring a reload.

Fortunately the 'admin' login does not require ACS authentication, so I could login remotely using this.

Remove all the aaa and tacacs config and disable the tacacs+ feature (no feature tacacs+).

Re-install tacacs+ and readd the tacacs and aaa config.

Problem solved and no outage required.