Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4177
Views
0
Helpful
6
Replies

Nexus Allows TACACS and Local Authentication Concurrently

efairbanks
Level 1
Level 1

‎06-06-2011 11:43 PM - edited ‎03-10-2019 06:08 PM

Community,

I am experiencing an issue where NX-OS on our 5010s is allowing both Local AND TACACS authentication concurrently.  If I don't configure any aaa authorization commands, the locally logged in user has unmitigated access to the device.  Once I enable aaa authroization, all commands issued by the locally logged in user are denied by ACS, but they can still log in to the device.  When I comb through the logs on the ACS server, I see successful logins when TACACS credentials are used, and also the failed attempts when the locally configured credentials are used.  On the switch, however, I receive "%TACACS-3-TACACS_ERROR_MESSAGE:  All servers failed to respond" when using locally configured credentials on the switch itself.  We are running ACS v4.2.

See attachment for configuration information from the switch.

Thanks in advance for any assistance.

-Erik

Labels:
101265-Nexus AAA Output.txt.zip
0 Helpful
6 Replies 6

Tarik Admani
VIP Alumni
VIP Alumni

‎06-07-2011 12:45 AM

I wanted to know what the reason for the failed attempts are in the acs logs? If you can set the logging to full and then search for the username in the TCS.logs after you repro the issue and then download the support bundle. This will show you if ACS is failing the user or if ACS is returning error messages to the Nexus thus failing over to local authentication.

Keep in mind when setting the logging to full and downloading the package.cab file will restart the services on the box.

Thanks,

Tarik

0 Helpful

efairbanks
Level 1
Level 1
In response to Tarik Admani

‎06-07-2011 11:17 PM

Tarik,

The folks in the lab were able to duplicate the problem.  Since we would rather provide Cisco logging info from the lab and not the production environment, they are going to open a TAC case on my behalf.

Once a solution is provided, I will update this forum post for the benefit of the community.

Thanks again for your help.

-Erik

0 Helpful

John Galietta
Level 1
Level 1
In response to efairbanks

‎09-12-2011 01:38 PM

Erik,

I am experiencing the same problem on my Nexus 5548 and 7010 switches.  Have you made any progress on your case with TAC?  I would be most interested to find out more.

Thanks,

John

0 Helpful

Nathan Eger
Level 1
Level 1
In response to efairbanks

‎10-05-2011 01:14 PM

Erik-

I encountered the same issue.  Any update from TAC on what the issue was?

-Nathan

0 Helpful

andrea.meconi
Level 2
Level 2
In response to efairbanks

‎11-15-2011 02:35 AM

Hello Erik.

I encountered the same issue. Any update from TAC?

Regards.

Andrea

0 Helpful

efairbanks
Level 1
Level 1
In response to andrea.meconi

‎11-15-2011 02:42 AM

Yes...sorry....I did get this working.  If you configure the AAA authentication line with the tacacs option, but omit the "local" parameter, you will achieve your desired results - localmauthentican will work only if tactics fails.  Not sure if this is a bug or a code difficiency...

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents