AAA problem with Nexus

tiwang · ‎01-12-2011

Hi out there

I stumbled over another AAA problem with the Nexus 5000 series switches - we normally run AAA against a ACS 4.1 where we for normal user make use of RSA tokens - but for the special service accounts for f.ex RME we have sme users with static passwords - and these are not allowed to login to the Nexus - have some seen a similary problem? We are still on Nexus:

System version: 4.2(1)N2(1)

When I try to authenticate the user I get these notes from the AAA module on the Nexus:

2011 Jan 12 12:52:37.688506 aaa: session: 0x80a596c added to the session table 1

2011 Jan 12 12:52:37.688850 tacacs: process_aaa_tplus_request:Checking for state of mgmt0 port with servergroup ASP_Tacacs

2011 Jan 12 12:52:37.689154 tacacs: process_aaa_tplus_request: Group ASP_Tacacs found. corresponding vrf is management

2011 Jan 12 12:52:37.689435 tacacs: process_aaa_tplus_request: checking for mgmt0 vrf:management against vrf:management of requested group

2011 Jan 12 12:52:37.689711 tacacs: process_aaa_tplus_request:port_check will be done

2011 Jan 12 12:52:37.689991 tacacs: state machine count 0

2011 Jan 12 12:52:37.690492 tacacs: init_tplus_req_state_machine:No source-interface configured for this group

2011 Jan 12 12:52:37.692864 tacacs: init_tplus_req_state_machine:Falling to globally configured one

2011 Jan 12 12:52:37.693144 tacacs: Entering function: get_if_index_from_global_conf

2011 Jan 12 12:52:37.693439 tacacs: Function get_if_index_from_global_conf: found interface

2011 Jan 12 12:52:37.693719 tacacs: Exiting function: get_if_index_from_global_conf

2011 Jan 12 12:52:37.694001 tacacs: init_tplus_req_state_machine: Info: Global source-intf not configured/up with valid ip

2011 Jan 12 12:52:37.702977 tacacs: non_blocking_connect(421):Not using src-intf and bind() since ifindex=0

2011 Jan 12 12:52:37.703729 tacacs: non_blocking_connect(466): connect() successfull

2011 Jan 12 12:52:37.715948 aaa: aaa_process_fd_set

2011 Jan 12 12:52:37.716584 aaa: aaa_process_fd_set: mtscallback on aaa_q

2011 Jan 12 12:52:37.716885 aaa: mts_message_response_handler: an mts response

2011 Jan 12 12:52:37.717165 aaa: session: 0x80a596c removed from the session table 0

2011 Jan 12 12:52:37.718000 aaa: aaa_process_fd_set

2011 Jan 12 12:52:37.718305 aaa: aaa_process_fd_set: mtscallback on aaa_q

2011 Jan 12 12:52:37.718676 aaa: session: 0x80a596c added to the session table 1

2011 Jan 12 12:52:37.719018 tacacs: process_aaa_tplus_request:Checking for state of mgmt0 port with servergroup

2011 Jan 12 12:52:37.719325 tacacs: process_aaa_tplus_request: checking for mgmt0 vrf:management against vrf: of requested group

2011 Jan 12 12:52:37.719657 tacacs: process_aaa_tplus_request: aaa context len 294

2011 Jan 12 12:52:37.719938 tacacs: state machine count 0

2011 Jan 12 12:52:37.720420 tacacs: init_tplus_req_state_machine(1405):tplus_context don't know about src-intf

2011 Jan 12 12:52:37.720721 tacacs: init_tplus_req_state_machine(1407):asking to aaa regarding group info.

2011 Jan 12 12:52:37.721013 tacacs: init_tplus_req_state_machine(1476):No interface/ip configured for group ASP_Tacacs

2011 Jan 12 12:52:37.721294 tacacs: init_tplus_req_state_machine(1477):Falling for global

2011 Jan 12 12:52:37.721572 tacacs: Entering function: get_if_index_from_global_conf

2011 Jan 12 12:52:37.721862 tacacs: Function get_if_index_from_global_conf: found interface

2011 Jan 12 12:52:37.722147 tacacs: Exiting function: get_if_index_from_global_conf

2011 Jan 12 12:52:37.722425 tacacs: init_tplus_req_state_machine(1489):Global source-interface not configured/ or intf isn't up

2011 Jan 12 12:52:37.722703 tacacs: init_tplus_req_state_machine(1491):Random source-ip will be chosen

2011 Jan 12 12:52:37.722999 tacacs: debug_av_list(600):Printing list

2011 Jan 12 12:52:37.723281 tacacs: debug_av_list(610):Done printing list, exiting function

2011 Jan 12 12:52:37.802654 tacacs: non_blocking_connect(421):Not using src-intf and bind() since ifindex=0

2011 Jan 12 12:52:37.818133 tacacs: non_blocking_connect(466): connect() successfull

2011 Jan 12 12:52:37.826450 tacacs: tplus_decode_authen_response: copying hostname into context 172.21.246.20

2011 Jan 12 12:52:37.826898 aaa: aaa_process_fd_set

2011 Jan 12 12:52:37.827475 aaa: aaa_process_fd_set: mtscallback on aaa_q

2011 Jan 12 12:52:37.827788 aaa: mts_message_response_handler: an mts response

2011 Jan 12 12:52:37.828068 aaa: session: 0x80a596c removed from the session table 0

2011 Jan 12 12:52:37.922645 aaa: aaa_process_fd_set

2011 Jan 12 12:52:37.922945 aaa: aaa_process_fd_set: mtscallback on aaa_q

2011 Jan 12 12:52:37 SAN5010-01 %DAEMON-3-SYSTEM_MSG: Unable to create temporary user RME_User!. Error 0x404a0041 - sshd[8943]

2011 Jan 12 12:52:37.928217 aaa: aaa_process_fd_set

2011 Jan 12 12:52:37.928568 aaa: aaa_process_fd_set: mtscallback on aaa_q

2011 Jan 12 12:52:37 SAN5010-01 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user RME_User! from 172.21.246.102 - sshd[8943]

2011 Jan 12 12:52:38 SAN5010-01 %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user RME_User! from 172.21.246.102 - sshd[8939]

Just to clarify - our logins with tokens works without problems - Any ideas?

best regards /ti

Javier Henderson · ‎01-19-2011

What does ACS show for the rejected attempts?

tiwang · ‎01-20-2011

Hi Javier

It tells me that it is "user access filtered" - eg: configure NAR correctly - but - hmm - we doesn't make use of NAR as far as I can see. There must be some little config difference there somewhere but I cannot spot it. A "clean" cisco cat 2950 which I just added in the same way as the nexus didn't make any auth-failures so I did suspect that the nexus send some options with which caused the failure..

best regards /ti

tiwang · ‎01-20-2011

hi again

I tried another user which didn't have exclamation-marks in it - nor any special chars in the password - this user can be logged in without any problems - so well - hmm - either a problem with the user or password which isn't accepted correctly here

best regards /ti