AAA authertication problem

alkabeer80 · ‎04-16-2011

Hi,

I have problem authenticating ciscoworks 3.2 to Cisco Nexus, i get this log

" %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user ciscow from x.x.x.x - login[4857] "

I am using snmp v2.

I have also notice that nexus does not except symboles in the community string, why ?

thanks

Devashree Chakrabarti · ‎04-22-2011

Hello

Please send the output for " sh tacacs-server groups " from Nexus switch.

thanks

Devashree

alkabeer80 · ‎04-24-2011

Hi, this is the output of show tacacs-server groups:

S01# sh tacacs-server groups

total number of groups:1

following TACACS+ server groups are configured:

group ACS:

server x.x.x.x ( ACS Server) on port 49

deadtime is 0

vrf is default

Source interface Vlan1

thanks

Devashree Chakrabarti · ‎04-24-2011

Hello

Try to add " use-vrf management" under " aaa group server" and test the authentication.

thanks

Devashree

alkabeer80 · ‎04-24-2011

hi, i was checking the logs on nexus and i found

2011 Apr 25 07:34:53 test %SYSLOG-3-SYSTEM_MSG: Syslog could not be send to server(172.16.1.1) : No such file or directory

What does it mean? in acs i can see that it is not authenticating

Date	Time	Message-Type	User-Name	Group-Name	Caller-ID	Network Access Profile Name	Authen-Failure-Code	Author-Failure-Code	Author-Data	NAS-Port	NAS-IP-Address	Filter Information	PEAP/EAP-FAST-Clear-Name	EAP Type	EAP Type Name	Reason	Access Device	Network Device Group
04/24/2011	10:27:29	Authen failed	ciscow	Network Group	172.16.1.1	(Default)	CS password invalid	..	..	3002	172.16.1.232	..	..	..	..	..	test	pool

but i am able to use my username and password which is configured on acs server ( i am able to login to nexus using my credentials from acs server)

o/p of some show commands

test# sh aaa accounting
         default: group ACS
test# sh aaa authentication
         default: group ACS
         console: group ACS
test# sh aaa authorization
         pki-ssh-cert: local
         pki-ssh-pubkey: local
AAA command authorization:
test# sh aaa groups
radius
ACS

show run

tacacs-server key 7 "xxxx"
tacacs-server host 172.16.1.230 key 7 "xxxx"
aaa group server tacacs+ ACS
server 172.16.1.230
source-interface Vlan1

aaa authentication login default group ACS
aaa authentication login console group ACS
aaa accounting default group ACS
tacacs-server directed-request

logging server 172.16.1.1

logging server 172.16.1.230

i hope this will help u to identify my issue

thanks

Devashree Chakrabarti · ‎04-25-2011

Hello

Yes, that helps a lot. So, syslog logging is not working.

We have to set a SVI interface as the default vrf and use this vrf as the source interface for the syslog server. The sample config will be :

interface vlan x
ip address x.x.x.x mask

*** vlan x needs to be trunked upstream to your L3 device

vrf context default
ip route (destination networks or host of your syslog) (vlan x gateway)

log server a.b.c.d (log level) use-vrf default

Please try the above config and let me know if it helps.

Thanks

Devashree

P.S. - Please do rate the helpful post.

alkabeer80 · ‎04-25-2011

Hi, i did this configuration, now i have different error when i type show logging on nexus

2011 Apr 26 06:36:05 test %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user ciscow from 172.16.1.1 - login[1063]

i tried some search but i found different results.

Thanks for your help

Devashree Chakrabarti · ‎04-25-2011

Hello

What is the code running on Nexus switch ? What is the model number ?

thanks

Devashree

alkabeer80 · ‎04-25-2011

it is Cisco Nexus5020 Chassis ("40x10GE/Supervisor")

Devashree Chakrabarti · ‎04-27-2011

Hello

What is the software version on Nexus ?

thanks

Devashree