https://community.cisco.com/t5/network-access-control/aaa-authorization-not-working/m-p/1392613#M317484 <HTML><HEAD></HEAD><BODY><P>Hi Nusrat,</P><P></P><P>Did you found a solution for this problem?</P><P></P><P>We are having the same issue with the Nexus 5000 concerning Authorization.</P><P></P><P>Regards,</P><P></P><P>Jasper</P></BODY></HTML> Fri, 25 Jun 2010 10:05:43 GMT Jasper van Nederpelt 2010-06-25T10:05:43Z https://community.cisco.com/t5/network-access-control/aaa-authorization-not-working/m-p/1392611#M317472 <P>I have a very strange problem. I set up tacacs on two Nexus 5000 switches with exactly the same tacacs, aaa config (see below). N01 is working fine but N02 has problems in Authorization. I am able to authenticate into N02 but can use only a few commands, whereas N01 has the full set of commands available.</P><P></P><P><SPAN style="font-size: 10pt;"></SPAN></P><P>I see error messages in the log (see bottom).</P><P></P><P>ked1.dcacc.n02(config)# ?</P><P>end Go to exec mode</P><P>exit Exit from command interpreter</P><P>no Negate a command or set its defaults</P><P>username Configure user information.</P><P></P><P></P><P>ked1.dcacc.n02# sho run aaa</P><P>version 4.1(3)N2(1)</P><P>aaa authentication login default group tacacs local</P><P>aaa authorization config-commands default group tacacs local</P><P>aaa authorization commands default group tacacs local</P><P>aaa accounting default group tacacs local</P><P>aaa authentication login error-enable</P><P>ked1.dcacc.n02# sho run tacacs</P><P>version 4.1(3)N2(1)</P><P>feature tacacs+</P><P>tacacs-server host 167.54.254.113 key 7 .....</P><P>ip tacacs source-interface Vlan2</P><P>aaa group server tacacs+ tacacs</P><P>server 167.54.254.113</P><P>source-interface Vlan2</P><P></P><P>- Comparing CONFIG with ked1.dcacc.n01:</P><P>ked1.dcacc.n01# sho run tacacs</P><P>version 4.1(3)N2(1)</P><P>feature tacacs+</P><P>tacacs-server host 167.54.254.113 key 7 .....</P><P>ip tacacs source-interface Vlan2</P><P>aaa group server tacacs+ tacacs</P><P>server 167.54.254.113</P><P>source-interface Vlan2</P><P>ked1.dcacc.n01# sho run aaa</P><P>version 4.1(3)N2(1)</P><P>aaa authentication login default group tacacs local</P><P>aaa authorization config-commands default group tacacs local</P><P>aaa authorization commands default group tacacs local</P><P>aaa accounting default group tacacs local</P><P>aaa authentication login error-enable</P><P></P><P></P><P>ked1.dcacc.n02# sho log last 10</P><P>2010 Feb 12 13:55:13.697 ked1.dcacc.n02 %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond</P><P>2010 Feb 12 13:56:14.975 ked1.dcacc.n02 %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond</P><P>2010 Feb 12 13:56:14.975 ked1.dcacc.n02 %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by khwajan on 167.54.254.2@pt</P><P>s/0</P><P>2010 Feb 12 13:56:14.987 ked1.dcacc.n02 9836]: CLIC-6-EXIT_CONFIG: Configured from 0 by systest</P><P>2010 Feb 12 13:56:15.087 ked1.dcacc.n02 snmpd: snmpd: send_trap: Failure in sendto (No route to host)</P><P>2010 Feb 12 13:56:15.088 ked1.dcacc.n02 snmpd: snmpd: send_trap: Failure in sendto (No route to host)</P><P>2010 Feb 12 13:56:15.088 ked1.dcacc.n02 snmpd: NETWORK- UNREACHABLE</P><P>2010 Feb 12 14:01:22.771 ked1.dcacc.n02 %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond</P><P>2010 Feb 12 14:01:34 ked1.dcacc.n02 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user admin from 172.19.1.</P><P>3 - login[9969]</P><P>2010 Feb 12 14:01:50.349 ked1.dcacc.n02 %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond</P><P></P><P></P><P></P><P>2. Both N01 and N02 have the following message logged frequently,</P><P></P><P>%TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond</P><P></P><P>3. Our tacacs server is V3.0</P> Sun, 10 Mar 2019 23:57:05 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-not-working/m-p/1392611#M317472 khwajanusrat 2019-03-10T23:57:05Z https://community.cisco.com/t5/network-access-control/aaa-authorization-not-working/m-p/1392612#M317476 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>As per the logs if request is going to TACAS server and TACAS server is failed to respond mean check the services of tacas services in tacas server are flaaping or check the connectivity of tacas server from switches they are reachable or not.</P><P></P><P>hope to help</P><P></P><P>Ganesh.H</P></BODY></HTML> Tue, 16 Feb 2010 08:20:03 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-not-working/m-p/1392612#M317476 Ganesh Hariharan 2010-02-16T08:20:03Z https://community.cisco.com/t5/network-access-control/aaa-authorization-not-working/m-p/1392613#M317484 <HTML><HEAD></HEAD><BODY><P>Hi Nusrat,</P><P></P><P>Did you found a solution for this problem?</P><P></P><P>We are having the same issue with the Nexus 5000 concerning Authorization.</P><P></P><P>Regards,</P><P></P><P>Jasper</P></BODY></HTML> Fri, 25 Jun 2010 10:05:43 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-not-working/m-p/1392613#M317484 Jasper van Nederpelt 2010-06-25T10:05:43Z https://community.cisco.com/t5/network-access-control/aaa-authorization-not-working/m-p/1392614#M317504 <HTML><HEAD></HEAD><BODY><P>no response so far.</P></BODY></HTML> Fri, 25 Jun 2010 13:29:41 GMT https://community.cisco.com/t5/network-access-control/aaa-authorization-not-working/m-p/1392614#M317504 khwajanusrat 2010-06-25T13:29:41Z