AAA TACACS NEXUS doesn't work - Page 2

karimbruxelles · ‎05-27-2011

Hi,

I m trying to setup a Tacacs config onto my new NEXUS 5000 series

Nevertheless the authentication doesn't work

Actually I followed the config guide but something is not working or missing

I have setup everything through VMWARE with ACS installed on a Windows server

here is some of my config

My NEXUS Switch

IP 192.168.254.207

sh run | i aaa

aaa group server tacacs+ bporama

aaa authentication login default group bporama

aaa authentication login console local

sh run | i tacacs

feature tacacs

tacacs-server key 7 "XXXXX"

tacacs-server host 192.168.254.245 key 7 "XXXXX"

ping from Switch to the ACS

64 bytes from 192.168.254.245 icmp_seq=0 ttl=127 time=3.609

telnet 192.168.254.245 49

connected to 192.168.254.245.

Escape

Debug %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed

the user kar has been created on the ACS

so what't wrong?? something is missing??? can you please and advise

Regards,

Karim Brussels

Pekka Majuri · ‎12-09-2011

No worry about the delay, these Nexus 5548P switches are in such a physical environment, that we could not do some of your task you suggested, unfortunately. Anyway they do not solve the question, is there any other methor to get it work.

I even removed the existing tacacs+ configuration from the box, then I re configured it (by using the configuration statemens used for these working ones), no help.

As earlier said in my post, that the Nexus 5548P stopped to send out any outbound tcp/49 tacacs+ session requests. (this were obtained from the tcpdump taken from firewall, which is def.gateway for Nexus management).

when trying to logon (with tacacs userid/pw) the following error message is resulted to gatekeeper (SSH) session establishment when entring the UID + strong password....

Remote AAA servers unreachable_local authentication failed.png

A 2-4

we do use mgmt vrf for VPC peer, not for the box management. the management interface is SVI, which has a firewall (not changed) as a Gateway, and all the other sessions, logging to the external security log servers, NTP, ssh, and things like incoming/outgoing ssh sessions are working well, but no any tacacs request is leaving the box.

The version we are running: version 5.0(3)N2(2a) (bootflash:/n5000-uk9.5.0.3.N2.2a.bin) since beging of November.

Satisfactions from the N 5548 boxes are somewhat the only good thing is the price of the 10G interface port, which is not a cheap, but more a less expensive the Catalyst 6500s have.

awatson20 · ‎03-14-2012

Pekka Majuri ,

I am experiencing the exact problem you describe on the Nexus 5548 with TACACS. Did you ever get this resolved?

Thanks.

karimbruxelles · ‎03-15-2012

1) Connect your mgmt link/cable onto the physical interface mgmt 0 in the NEXUS(

2) show running-config | i vrf

vrf context management

3) configure the inteface on the vrf mgmt

show running-config interface mgmt0

version 5.0(3)N1(1c)

interface mgmt0

ip address 192.X.X.X/24

4) ping an ip on the same MGMT vlan

ping 192.X.X.X

vrf management

PING 192.X.X.X

(192.X.X.X): 56 data bytes

64 bytes from 192.X.X.X: icmp_seq=0 ttl=254 time=0.711 ms

Command: show running-config aaa

!Time: Thu Mar 15 09:58:05 2012

version 5.1(3)N1(1)

logging level aaa 5

aaa authentication login default group bporama

aaa authentication login console local

aaa accounting default group bporama

no aaa user default-role

tacacs-server directed-request

N11-BKP# sh running-config tacacs+

!Command: show running-config tacacs+

!Time: Thu Mar 15 09:58:11 2012

version 5.1(3)N1(1)

feature tacacs+

logging level tacacs 5

tacacs-server key 7 "XXXX"

tacacs-server deadtime 30

tacacs-server host 192.X.X.X

aaa group server tacacs+ bporama

server 192.X.X.X

use-vrf management

source-interface mgmt0

N11-BKP#

Pekka Majuri · ‎03-15-2012

No, the problem with the tacacs query (which didn't leave a nexus switch) were not solved, however my circumvention were reload the switch (luckyly we have fully redundant environment, where this problem exists). Personally my opinion is that the aaa subsystem state machine looked to have a problem to call tcp socket functios, but I could not prove any details to point it out to be there. And it looks like that this problem occurs quite a seldom, probably the process tread is going to be locked somehow by the kernel process causing aaa to hang with tacacs queries.

Since we reloaded the switch in problems, this has not yet happened again (still same aaa configuration in it), so we have not obtained what ever material needed for TAC. But if the problem faced again, we will open a TAC case to address the problem...

Are you also running the 5.0(3)N2(2a) in your Nexus switch or do you already run newer one? I hope you could reload the switch you have problem, to circumvent pb.

Tim Lane · ‎05-13-2013

Hello,

thought I'd add to this thread given that we also experienced the problem of the tacacs query not leaving the switch on a Nexus 7K (C7010, NXOS version 5.2(5)) and resolved it without requiring a reload.

Fortunately the 'admin' login does not require ACS authentication, so I could login remotely using this.

Remove all the aaa and tacacs config and disable the tacacs+ feature (no feature tacacs+).

Re-install tacacs+ and readd the tacacs and aaa config.

Problem solved and no outage required.

robertoabeledo · ‎06-07-2013

Hello,

does any one of you have tryed to put the aaa authentication into

aaa authentication login ascii-authentication

we had the same problems with tacacs and no access to the server because it is supported by another department.

After changing the aaa authentication to ascii the authentication works.

greetings

rob

chris.fitzpatrick · ‎07-12-2013

Thanks Rob,

That worked a treat for me - saved me trying a reload.

Cheers

Chris

Jatin Katyal · ‎07-12-2013

Thanks chris for sharing. I'd encourage you mark Rob's feedback as correct answere as it may help other community member's in future with similar problem.

Regards,

Jatin

~Jatin

chrisgray1 · ‎09-26-2013

aaa authentication login ascii-authentication

This did not work for me, is there a known bug and fix for this issue?

Jatin Katyal · ‎09-26-2013

can you share the following info:

show run | in aaa

show run | in tacacs

debug tacacs

debug aaa authen

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

chrisgray1 · ‎09-26-2013

This has worked for a good amount of time, I already had to fix it once by removing the feature and then pasting it all in again, so I'm confident its not the config. version 6.1(2).

I'm going to open a TAC case for this, since the debug output is long from Nexus 7k and contains alot of public IP address information over and over in the debug.

thanks

Jatin Katyal · ‎09-26-2013

so yes what you did is a kinda workaround. Could you please tell me that when you run the test command with debugs you see something like error code 7 and server unavailable.

I guess there is a defect on this issue and we use no feature tacacs+ to make it work. but I need to check whether this code is affected or not.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

chrisgray1 · ‎09-26-2013

Hi Jatin,

Yes it is that message. I don't know what the trigger was to cause it, but both Nexus on this site have the issue since checking today. I can login via local which is the fallback aaa authentication mode.

We have many other Nexus 7k in various DCs and large production sites but I am not aware of any others having this issue with tacacs currently.

Chris

Jatin Katyal · ‎10-17-2013

sorry for any delay. Are you still facing issues while login to Nexus via TACACS?

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

d0d0maz01 · ‎04-21-2014

Hello

I helped this command

ip tacacs source-interface loopback0.

loopback0 is looking from vrf managmemnt