Re: Nexus 1000v & 1010 Truncate Tacacs+ Username

dgoodridge · ‎04-11-2011

Hi,

Authentication and Accounting both function correctly, however Authorization fails with a code 0x10 denial (backed up by ACS accounting). Upon sniffing and decrypting the Authorization packet the Nexus sends, it is clear that all usernames are being truncated after 8 characters, and hence failing when it reaches ACS. Obviously in a multidomain windows authentication world it's nearly impossible to have a username string shorter than 8 characters.

For example if I login with a username of:

ciscoengineer

the decrypted authorization packet will contain the tag of:

user: ciscoeng

This is affecting both the 1000v and the 1010 appliance, both are on code version 4.2(1)SP1(2).

I cannot find any reference to a similiar existing open bug, so I'm going to raise a TAC case, however I thought I'd check on here to see if anyone had experienced anything similiar?

Many thanks,

Doug

Robert Burns · ‎04-11-2011

Doug,

This is a known bug CSCtn75755 "Username with more than 8 characters login but have limited CLI access"

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCtn75755

This is expected to be fixed in an upcoming patch release for 4.2(1)SV1(4)

I still suggest you log a TAC case so we can link the bug for tracking.

Regards,

Robert

dgoodridge · ‎04-12-2011

Thanks for the info Robert. Do you happen to have any timescale info for the release?

Regards,

Doug

Robert Burns · ‎04-12-2011

No tentative release date yet. I'd guess within the next 3-5 months.

Regards,

Robert

cole.b · ‎08-22-2011

Any update on this?

lwatta · ‎08-22-2011

According to our bug database it was fixed in the latest release which is 1.4a.

louis