11-17-2013 10:57 PM - edited 03-10-2019 09:06 PM
Hello all, I have been looking for the proper configuration to access the MDS 9124 fiber channel switches from the CSACS 1121 using 5.4.
I find bits and pieces but I'm probably configuring the groups incorrectly.
On the switch side I have this:
FiberA(config)# sho run | include aaa
aaa group server tacacs+ sasTac+
aaa group server tacacs+ yokTac+
aaa group server radius radius
aaa authentication login default group sasTac+
aaa accounting default group sasTac+
tacacs-server key 7 "09754F021046461S020731"
tacacs-server host 10.7.4.22 key 7 "fewhg"
tacacs-server host 10.207.5.21 key 7 "fewhg"
tacacs-server host 10.207.5.22 key 7 "fewhg"
tacacs-server host 10.7.4.23 key 7 "09754F021046461C020731"
tacacs-server host 10.7.4.24 key 7 "09754F021046461C020731"
aaa group server tacacs+ sasTac+
server 10.207.5.21
server 10.207.5.22
aaa group server tacacs+ yokTac+
server 10.7.4.22
aaa group server radius radius
On the ACS side I have cisco-av-pair=shell:roles="network admin" for the command set.
The groups in the switch are leftovers from the previous configuration; however, I can't find the setting anywhere in the old ACS version 3.3.
On Jatin Katyal's post I found the links to explain setting up the devices but the links are dead.
Solved! Go to Solution.
11-19-2013 06:50 PM
ej
I am glad that you got it running. Thank you for posting back to the forum and letting us know that you fixed it and what you did to fix it. This information could be helpful to some other reader in the forum who will be working with these switches at some time. It is this kind of information sharing that makes the forum so helpful and valuable.
HTH
Rick
11-18-2013 05:48 AM
I am not familiar with the MDS 9124 and assume that they implement AAA in ways that are similar to other Cisco devices and offer these comments based on that assumption.
You define 2 TACACS server groups but make use of only 1 in what is posted. Perhaps you could post the output of
show run | include yokTac
this would help us see if it is used in some way.
Also your configuration has 5 servers configured but only 2 of them are in the group that is being used. Perhaps you could post the output of
show run | include tacacs
this would help us see if other servers are used in some way.
Can you tell us whether the ACS servers at 10.207.5.21 and .22 have configured to recognize the 9124 as a client?
Is there IP connectivity between the 9124 and the ACS servers? (can the switch ping both servers and can each server ping the switch is a good place to start)
HTH
Rick
11-18-2013 03:00 PM
Here is the output
FiberA# sho run | include aaa
aaa group server tacacs+ sasTac+
aaa group server tacacs+ yokTac+
aaa group server radius radius
aaa authentication login default group sasTac+
aaa accounting default group sasTac+
FiberA# sho run | include tacacs
feature tacacs+
tacacs-server key 7 "key"
tacacs-server host "IP address server new 5.4" key 7 "key"
tacacs-server host "IP address server old 3.3" key 7 "key"
tacacs-server host "IP address server old 3.3" key 7 "key"
tacacs-server host "IP address server new 5.4" key 7 "key"
tacacs-server host "IP address server new 5.4"key 7 "key"
aaa group server tacacs+ sasTac+
aaa group server tacacs+ yokTac+
FiberA# sho run | include aaa
aaa group server tacacs+ sasTac+
aaa group server tacacs+ yokTac+
aaa group server radius radius
aaa authentication login default group sasTac+
aaa accounting default group sasTac+
FiberA# sho run | include yokTac
aaa group server tacacs+ yokTac+ FiberA# sho run | include yokTac
aaa group server tacacs+ yokTac+
Pinging between the switches and the ACS devices is good in both directions.
There are 2 old 3.3V models and 2 new 5.4 V models.
The yokTac+ nor the sasTac+ group configuration is no where to be found in the older ACS 3.3V server.
I see the settings for the cisco-av-pair command set but nothing with either of those group names.
When I began the process of modifying these switches to work with the new ACS I was given the impression they were Nexus 7000 units. Working on that I found settings AAA settings different from what I put in my 3750's and 6509's.
After clearing up that issue and finding out these are MDS 9124s I found these switches have still disimlar settings to the Nexus 7000 which is on a newer IOS.
ej
11-18-2013 04:31 PM
ej
Thanks for the additional information. The output does confirm that there are entries in the configuration that are not being used. My suggestion is to remove the server entries that are not being used (all of the tacacs server entries other than server 10.207.5.21 and server 10.207.5.22 and aaa group server tacacs+ sasTac+).
Also the answer about whether the servers at 10.207.5.21 and .22 have configuration that recognizes the switch as a valid client would be quite helpful.
HTH
Rick
11-19-2013 02:42 PM
Well I'm much closer now.
I whittled the AAA config in the switch down to the bare settings and changed what I had in the ACS.
Instead of a new seperate configuration I lumped it in with an existing one for 3750 devices.
So now the ACS is seeing when I attempt to login using my AD username/password; however, the error thrown up is "Possibly a missmatched secret key"
I have checked the keys in my other devices and have used the same.
When I check the keys in the MDS the configuration line is different.
It reads tacacs-server host "IPADDRESS" key 7 "keyname", rather than keyname without the double quotes.
I tried setting the secret key in non encrypted format but that doesn't change anything.
I'll have to see how secret keys are done on this switch.
ej
11-19-2013 05:17 PM
Well I got running.
I found that the secret keys on the MDS don't like special characters except for the $ and one other key.
I modified our key to be in line with this requirement.
On the ACS I made duplicate of a device group and put that key in for the TACACS.
On the FC switch I used the global tacacs-server key 7 keyname to set the global key.
I removed the key's associated to the servers and it now allows access using the AD information.
I noticed that if you attempt to use the secret key in line with the server, so each server has its own key associated, the system doesn't encrypt it but just puts double quotes around it.
aaa group server tacacs+
aaa group server tacacs+
aaa group server radius radius
aaa authentication login default group
feature tacacs+
tacacs-server key 7
tacacs-server host 10.7.4.22 key 7
tacacs-server host 10.207.5.21 key 7
tacacs-server host 10.207.5.22 key 7
tacacs-server host 10.7.4.23
tacacs-server host 10.7.4.24
aaa group server tacacs+
aaa group server tacacs+
copy running-config startup-config
11-19-2013 06:50 PM
ej
I am glad that you got it running. Thank you for posting back to the forum and letting us know that you fixed it and what you did to fix it. This information could be helpful to some other reader in the forum who will be working with these switches at some time. It is this kind of information sharing that makes the forum so helpful and valuable.
HTH
Rick
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide