05-27-2011 01:55 AM - edited 03-10-2019 06:06 PM
Hi,
I m trying to setup a Tacacs config onto my new NEXUS 5000 series
Nevertheless the authentication doesn't work
Actually I followed the config guide but something is not working or missing
I have setup everything through VMWARE with ACS installed on a Windows server
here is some of my config
My NEXUS Switch
IP 192.168.254.207
sh run | i aaa
aaa group server tacacs+ bporama
aaa authentication login default group bporama
aaa authentication login console local
sh run | i tacacs
feature tacacs
tacacs-server key 7 "XXXXX"
tacacs-server host 192.168.254.245 key 7 "XXXXX"
ping from Switch to the ACS
64 bytes from 192.168.254.245 icmp_seq=0 ttl=127 time=3.609
telnet 192.168.254.245 49
connected to 192.168.254.245.
Escape
Debug %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed
the user kar has been created on the ACS
so what't wrong?? something is missing??? can you please and advise
Regards,
Karim Brussels
05-27-2011 08:58 AM
Hi,
Can you please confirm if the tacacs servers are in the tacacs group?
command " show tacacs-server groups " will help you.
please ensure that the configuration is similar as in the guide and also using the correct Vrf.
Hope this helps.
Regards,
Anisha
P.S.: please mark this mail as answered if you feel your query is resolved. Do rate helpful posts.
05-30-2011 05:31 AM
Hi Anisha,
thanks for this but it still doesn't work, we have a couple of IOS switch and all are working fine with Tacacs through ACS
however with Nexus it is another story....
My interface vlan XXX is the mgt interface so why shall I select "use-vrf management under aaa group server tacacs+ Name_of_Group???
I get always the same msg error authenticating to server status 7
also into the ACS the logs are telling me then my
any idea?
Karim
05-30-2011 05:24 PM
Hi,
Nexus works on vrf's and roles. Hence i asked you to define the vrf. by default it is possible that the authentictaion request is exiting via a different vrf and hence not reaching the ACS server.
What do you see on the ACS server ?
Hope this helps.
Regards,
Anisha
P.S.:please mark this post as answered if you feel your query is resolved. Do rate helpful posts.
06-02-2011 08:55 AM
Karim:
Did you fix the issue. Please share as I am having the same problem.
Mine is very weird cos it has been working for 4 weeks and suddenly it stopped.
My ACS is pingagle and I am using gthe default vrf.
2011 Jun 2 11:27:10.592 nx5548-14 %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond
2011 Jun 2 11:27:31 nx5548-14 last message repeated 2 times
2011 Jun 2 11:27:31 nx5548-14 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user xxx
2011 Jun 2 11:28:13.975 nx5548-14 %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond
06-02-2011 09:07 AM
Hi Ben,
Two actions did resolve my problem
first of all ip tacacs server was no set on the global config and for unknow reason I had to create a new user id on the ACS it did not work with the previous accounts
I m off but if you wait until Monday I can sent you the all of the config step by step
let me know
Karim
ps: try the test aaa xxxxx command it is very helpful
06-02-2011 11:11 AM
I reloaded one of my 4 nexuses without any modifications and it now works. I will not reload the other 3 until I fully understand what is going on.
I don't want this to happen in 4 weeks again since I will go in full production.
Sure I can wait till Monay.
Thanks
06-06-2011 06:27 AM
Hi Ben,
here is my config
N12-BKP# sh run aaa all
!Command: show running-config aaa all
version 5.0(3)N1(1c)
aaa authentication login default group bporama
aaa authentication login console local
aaa authorization ssh-publickey default local
aaa authorization ssh-certificate default local
aaa authorization config-commands default local
aaa authorization commands default local
aaa accounting default group bporama
no aaa user default-role
aaa authentication login default fallback error local
aaa authentication login console fallback error local
no aaa authentication login error-enable
no aaa authentication login mschap enable
no aaa authentication login mschapv2 enable
no aaa authentication login chap enable
no aaa authentication login ascii-authentication
no radius-server directed-request
tacacs-server directed-request
N12-BKP# sh run tacacs+ all
!Command: show running-config tacacs+ all
!Time: Mon Jun 6 15:26:32 2011
version 5.0(3)N1(1c)
feature tacacs+
tacacs-server key 7 "elsgho"
ip tacacs source-interface Vlan777
tacacs-server test username test password test idle-time 0
tacacs-server timeout 5
tacacs-server deadtime 30
tacacs-server host 192.168.254.245 key 7 "XXXXXX" port 49 timeout 30
aaa group server tacacs+ bporama
server 192.168.254.245
use-vrf default
source-interface Vlan777
06-06-2011 07:41 AM
Thanks.
Guess what.
Ciscoworks LMS is actually the culprit.After reload AAA works back.
And as soon as LMS is trying to discover the nexus, the AAA fails.
LMS is version 3.2
06-06-2011 08:15 AM
Today I had the same issue unable to logon to my nexus through Tacacs and indeed I have got the same LMS version 3.2!!!!
I will reload LMS tonight and check if I can acces my devices
Thanks for the info
Karim
06-09-2011 08:51 AM
Karim:
let me know how it goes. On our side the Nexus were reloaded to restore AAA.
We are not using LMS until this is fixed. We are trying to fix some paperwork before able to open a TAC Case.
It could be simply the LMS version.
Appreciate if you keep me in the loop. I will also update you.
06-10-2011 01:26 AM
Hi Alex,
Sorry for the delay, finally I found my problem and a workaround
On my case sometimes I can't ping or telnet my TACACS (ACS), when I type the command
show ip arp vlan XXX (mgmt VLAN) I get some physical address and some other VRRP address.
all the VRRP addresses doesn't work and my TACACS server have got another address on another VLAN and the FW is NATING the TACACS address and therefore I get a VRRP address on my nexus for the tacacs...so I did add an arp mac entry into my mgmt interface VLAN and then it works. However that's not finished one other thing is even strange...I shut my VPC between the two NEXUS and I remove the static arp enty and then it works again even if my mgmt VLAN is not passing through the VPC and bearn in mind then my mgmt vlan is layer 2 excl.!!!!!! Do you follow me or? I will open a case with Cisco
I will keep you informed....
Take care
Karim Brussels
06-10-2011 06:58 AM
Karim:
Try to enable peer gateway under the vpc domain.
12-08-2011 03:10 AM
Hello we faced similar problem with onf Nexuses 5548P we have. In this environment we are using ACS appliance with 5.2. and it has been working for months now. Now this one 5548P does not send out TCP/49 Tacacs query to the ACS, althought it has not changed nor other chages done.
We took TCPdump, as well as from the 5548P debug aaa, and ffrom the dump we obtained, that the 5548 do not send out any packet (syn) to the tacacs+ server.
When there is no packets going out, the tacacs+ authentication fails, and only the locally configured admininstravite users can logon (the aaa is able to pick a next method: local correctly).
From the Log I got two messages:
2011 Dec 1 11:47:08.630 sw01 %TACACS-5-TACACS_SERVER_STATUS: TACACS+ server 10.11.22.33 with auth-port 49 and acct-port 49 status has changed from UNMONITORED STATE to DEAD STATE. Server was in previous-state for N/A, and total dead time of the server is N/A
2011 Dec 1 11:47:08.630 sw01 %TACACS-5-TACACS_MONITOR_STATUS: Tacacs+ server 10.11.22.33 with auth-port 49 and acct-port 49 is now being monitored for interval 60 minutes. The server is currently marked DEAD
these Nexuses are running version 5.0(3)N2(2a)
Is the any option to get this TACACS server to UP-AND-RUNNING state, without reload?
Rgds, Pekka
12-08-2011 05:04 AM
Hi,
first of all sorry for the delay, my mgmt VLAN doesn't exist into the nexus switches nevertheless it is configured on the VRF mgmt for security issue and if your switches goes down you still have a access onto the devices
1) Connect your mgmt link/cable onto the physical interface mgmt 0 in the NEXUS
2) show running-config | i vrf
vrf context management
3) configure the inteface on the vrf mgmt
show running-config interface mgmt0
version 5.0(3)N1(1c)
interface mgmt0
ip address 192.168.254.207/24
4) ping an ip on the same MGMT vlan
ping 192.168.254.208 vrf management
PING 192.168.254.208 (192.168.254.208): 56 data bytes
64 bytes from 192.168.254.208: icmp_seq=0 ttl=254 time=0.711 ms
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: