Hi Anisha,

thanks for this but it still doesn't work, we have a couple of IOS switch and all are working fine with Tacacs through ACS

however with Nexus it is another story....

My interface vlan XXX is the mgt interface so why shall I select "use-vrf management under aaa group server tacacs+ Name_of_Group???

I get always the same msg error authenticating to server status 7

also into the ACS the logs are telling me then my

any idea?

Karim

Hi,

Nexus works on vrf's and roles. Hence i asked you to define the vrf. by default it is possible that the authentictaion request is exiting via a different vrf and hence not reaching the ACS server.

What do you see on the ACS server ?

Hope this helps.

Regards,

Anisha

P.S.:please mark this post as answered if you feel your query is resolved. Do rate helpful posts.

Karim:

Did you fix the issue. Please share as I am having the same problem.

Mine is very weird cos it has been working for 4 weeks and suddenly it stopped.

My ACS is pingagle and I am using gthe default vrf.

2011 Jun  2 11:27:10.592 nx5548-14 %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond

2011 Jun  2 11:27:31 nx5548-14 last message repeated 2 times

2011 Jun  2 11:27:31 nx5548-14 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user xxx

2011 Jun  2 11:28:13.975 nx5548-14 %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond

Hi Ben,

Two actions did resolve my problem

first of all ip tacacs server was no set on the global config and for unknow reason I had to create a new user id on the ACS it did not work with the previous accounts

I m off but if you wait until Monday I can sent you the all of the config step by step

let me know

Karim

ps: try the test aaa xxxxx command it is very helpful

I reloaded one of my 4 nexuses without any modifications and it now works. I will not reload the other 3 until I fully understand what is going on.

I don't want this to happen in 4 weeks again since I will go in full production.

Sure I can wait till Monay.

Thanks

Hi Ben,

here is my config

N12-BKP# sh run aaa all

!Command: show running-config aaa all

version 5.0(3)N1(1c)

aaa authentication login default group bporama

aaa authentication login console local

aaa authorization ssh-publickey default local

aaa authorization ssh-certificate default local

aaa authorization config-commands default local

aaa authorization commands default local

aaa accounting default group bporama

no aaa user default-role

aaa authentication login default fallback error local

aaa authentication login console fallback error local

no aaa authentication login error-enable

no aaa authentication login mschap enable

no aaa authentication login mschapv2 enable

no aaa authentication login chap enable

no aaa authentication login ascii-authentication

no radius-server directed-request

tacacs-server directed-request

N12-BKP# sh run tacacs+ all

!Command: show running-config tacacs+ all

!Time: Mon Jun  6 15:26:32 2011

version 5.0(3)N1(1c)

feature tacacs+

tacacs-server key 7 "elsgho"

ip tacacs source-interface Vlan777

tacacs-server test username test password test idle-time 0

tacacs-server timeout 5

tacacs-server deadtime 30

tacacs-server host 192.168.254.245 key 7 "XXXXXX" port 49 timeout 30

aaa group server tacacs+ bporama

    server 192.168.254.245

    use-vrf default

    source-interface Vlan777

Thanks.

Guess what.

Ciscoworks LMS is actually the culprit.After reload AAA works back.

And as soon as LMS is trying to discover the nexus, the AAA fails.

LMS is version 3.2

Today I had the same issue unable to logon to my nexus through Tacacs and indeed I have got the same LMS version 3.2!!!!

I will reload LMS tonight and check if I can acces my devices

Thanks for the info

Karim

Karim:

let me know how it goes. On our side the Nexus were reloaded to restore AAA.

We are not using LMS until this is fixed. We are trying to fix some paperwork before able to open a TAC Case.

It could be simply the LMS version.

Appreciate if you keep me in the loop. I will also update you.

Hi Alex,

Sorry for the delay, finally I found my problem and a workaround

On my case sometimes I can't ping or telnet my TACACS (ACS), when I type the command

show ip arp vlan XXX (mgmt VLAN) I get some physical address and some other VRRP address.

all the VRRP addresses doesn't work and my TACACS server have got another address on another VLAN and the FW is NATING the TACACS address and therefore I get a VRRP address on my nexus for the tacacs...so I did add an arp mac entry into my mgmt interface VLAN and then it works. However that's not finished one other thing is even strange...I shut my VPC between the two NEXUS and I remove the static arp enty and then it works again even if my mgmt VLAN is not passing through the VPC and bearn in mind then my mgmt vlan is layer 2 excl.!!!!!! Do you follow me or? I will open a case with Cisco

I will keep you informed....

Take care

Karim Brussels

Karim:

Try to enable peer gateway under the vpc domain.

Hi,

first of all sorry for the delay, my mgmt VLAN doesn't exist into the nexus switches nevertheless it is configured on the VRF mgmt for security issue and if your switches goes down you still have a access onto the devices

1) Connect your mgmt link/cable onto the physical interface mgmt 0 in the NEXUS

2) show running-config | i vrf

vrf context management

3) configure the inteface on the vrf mgmt

show running-config interface mgmt0

version 5.0(3)N1(1c)

interface mgmt0

  ip address 192.168.254.207/24

4) ping an ip on the same MGMT vlan

ping 192.168.254.208 vrf management

PING 192.168.254.208 (192.168.254.208): 56 data bytes

64 bytes from 192.168.254.208: icmp_seq=0 ttl=254 time=0.711 ms