Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1518
Views
0
Helpful
1
Replies

AAA Authentication on Nexus 9372PX with ACS 5.8

harshal.shahane
Level 1
Level 1

‎01-06-2017 09:29 PM - edited ‎03-11-2019 12:20 AM

Hello,

I am facing an issue for AAA authentication of Nexus switch for AD users via ACS 5.8.

Following is the configuration on Nexus:

aaa group server tacacs+ ACS_GRP
    server 10.2.200.101
    use-vrf management
    source-interface mgmt0
aaa authentication login default group ACS_GRP
aaa accounting default group ACS_GRP
aaa authorization config-commands default group ACS_GRP

feature tacacs+

tacacs-server key 7 "XXXXX"
tacacs-server timeout 60
tacacs-server host 10.2.200.101 key 7 "XXXXX"
aaa group server tacacs+ ACS_GRP
    server 10.2.200.101
    use-vrf management
    source-interface mgmt0

Authentication is working fine for the Local user created on the ACS server, but I am getting following error when authenticating a user from domain:

2016 Dec 22 13:47:39 L1SWT1WAN01 %DAEMON-3-SYSTEM_MSG: Unable to create temporary user AD USER. Error 0x404a0036 (0) - sshd[11121]
2016 Dec 22 13:47:39 L1SWT1WAN01 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user AD USER from 10.1.218.28 - sshd[11121]
2016 Dec 22 13:47:39 L1SWT1WAN01 %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user AD USER from 10.1.218.28 - sshd[11120]

Regards,

Harshal

Labels:
0 Helpful
1 Reply 1

Denis Chitov
Level 1
Level 1

‎01-11-2017 02:46 AM

Hi Harshal,

TACACS+ works on this device with a username that doesn't contain spaces

Base on a research there is an enhancement request open for this.
NX-OS does not allow special characters for username.

https://bst.cloudapps.cisco.com/bugsearch/bug/CSCui15096

I hope this would help you.

0 Helpful
Customers Also Viewed These Support Documents