Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1486
Views
0
Helpful
4
Replies

Compatible Nexus 5020 5.0.2.N2.1 with Tac_plus?

Go to solution
CSCO10991417
Level 1
Level 1

‎09-11-2012 07:27 AM - edited ‎03-10-2019 07:32 PM

                   Friends,

I have a problem with the switches Nexus, is impossible authenticate from tac_plus. In other company, I configured ACS for authenticate the Nexus Switches and OK

The configuration of my tac_plus is:

user = gian {

login = cleartext prueba

member = nexus

group = nexus {

default service = permit

service = shell {

#double-quote-values = yes

#shell:roles="\"network-admin\""

cisco-av-pair*shell:roles="network-admin"

The configuration of switch is:

tacacs-server host xx.xx.xx.xx key 7 "xxxxx"
aaa group server tacacs+ AAA_TACACS_SERVER
    server xx.xx.xx.xx
    source-interface mgmt0

aaa authentication login default group AAA_TACACS_SERVER
aaa authorization commands default group AAA_TACACS_SERVER local
aaa accounting default group AAA_TACACS_SERVER

Any idea?.

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎09-11-2012 07:31 AM

Hi,

You are using roles so you don't need the authorization command config. Please remove that line and try again.

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni

‎09-11-2012 07:31 AM

Hi,

You are using roles so you don't need the authorization command config. Please remove that line and try again.

0 Helpful

Go to solution
CSCO10991417
Level 1
Level 1

‎09-11-2012 07:35 AM

Thanks, I probe.

0 Helpful

Go to solution
CSCO10991417
Level 1
Level 1

‎09-12-2012 08:02 AM

Hi Tarik,

I remove this command but the problem persist:

tacacs-server host 10.254.195.41 key 7 "xxxxxxxxxx"

aaa group server tacacs+ AAA_TACACS_SERVER

aaa authentication login default group AAA_TACACS_SERVER

aaa accounting default group AAA_TACACS_SERVER

This is the debug:

2012 Sep 12 16:57:43.402792 aaa: aaa_req_process for authentication. session no 0

2012 Sep 12 16:57:43.403110 aaa: aaa_req_process: General AAA request from appln: login appln_subtype: default

2012 Sep 12 16:57:43.403415 aaa: try_next_aaa_method

2012 Sep 12 16:57:43.403732 aaa: total methods configured is 1, current index to be tried is 0

2012 Sep 12 16:57:43.404036 aaa: handle_req_using_method

2012 Sep 12 16:57:43.404335 aaa: AAA_METHOD_SERVER_GROUP

2012 Sep 12 16:57:43.404637 aaa: aaa_sg_method_handler group = AAA_TACACS_SERVER

2012 Sep 12 16:57:43.404939 aaa: Using sg_protocol which is passed to this function

2012 Sep 12 16:57:43.405243 aaa: Sending request to TACACS service

2012 Sep 12 16:57:43.405588 aaa: mts_send_msg_to_prot_daemon: Payload Length = 368

2012 Sep 12 16:57:43.405908 aaa: Configured method group Succeeded

2012 Sep 12 16:57:43.406273 tacacs: process_aaa_tplus_request:Checking for state of mgmt0 port with servergroup AAA_TACACS_SERVER

2012 Sep 12 16:57:43.407104 tacacs: process_aaa_tplus_request: Group AAA_TACACS_SERVER found. corresponding vrf is default

2012 Sep 12 16:57:43.407413 tacacs: process_aaa_tplus_request: checking for mgmt0 vrf:management against vrf:default of requested group

2012 Sep 12 16:57:43.407721 tacacs: state machine count 0

2012 Sep 12 16:57:43.408160 tacacs: is_intf_up_with_valid_ip(1213):Proper IOD is found.

2012 Sep 12 16:57:43.408502 tacacs: is_intf_up_with_valid_ip(1216):Port is up.

2012 Sep 12 16:57:43.409325 tacacs: num_inet_addrs: 1 first s_addr: 532872714 31.194.254.10 s6_addr : 0afe:c21f::

2012 Sep 12 16:57:43.409653 tacacs: non_blocking_connect(232):interface ip_type: IPV4

2012 Sep 12 16:57:43.411248 tacacs: non_blocking_connect(333): Proceeding with bind

2012 Sep 12 16:57:43.411759 tacacs: non_blocking_connect(352): setsockopt success error:22

2012 Sep 12 16:57:43.412710 tacacs: non_blocking_connect(466): connect() successfull

2012 Sep 12 16:57:43.425242 aaa: prot_daemon_reponse_handler

2012 Sep 12 16:57:43.425606 aaa: is_aaa_resp_status_success status = 2

2012 Sep 12 16:57:43.425909 aaa: is_aaa_resp_status_success is TRUE

2012 Sep 12 16:57:43.426219 aaa: aaa_send_client_response for authentication. session->flags=21. aaa_resp->flags=0.

2012 Sep 12 16:57:43.427257 aaa: AAA_REQ_FLAG_NORMAL

2012 Sep 12 16:57:43.427618 aaa: mts_send_response Successful

2012 Sep 12 16:57:43.427930 aaa: aaa_cleanup_session

2012 Sep 12 16:57:43.428230 aaa: mts_drop of request msg

2012 Sep 12 16:57:43.428533 aaa: aaa_req should be freed.

Regards.

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to CSCO10991417

‎09-12-2012 11:19 AM

Hi,

You do not have to enter the double quotes, try disabling that and see if it fixes your issue. Also can you also add the use-vrf command on your tacacs server group.

thanks

Tarik Admani
*Please rate helpful posts*

0 Helpful
Customers Also Viewed These Support Documents