cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

460
Views
0
Helpful
6
Replies
Highlighted
Participant

Proper configuration for Fiber Channel AAA access

Hello all, I have been looking for the proper configuration to access the MDS 9124 fiber channel switches from the CSACS 1121 using 5.4.

I find bits and pieces but I'm probably configuring the groups incorrectly.

On the switch side I have this:

FiberA(config)# sho run | include aaa

aaa group server tacacs+ sasTac+

aaa group server tacacs+ yokTac+

aaa group server radius radius

aaa authentication login default group sasTac+

aaa accounting default group sasTac+

tacacs-server key 7 "09754F021046461S020731"

tacacs-server host 10.7.4.22 key 7 "fewhg"

tacacs-server host 10.207.5.21 key 7 "fewhg"

tacacs-server host 10.207.5.22 key 7 "fewhg"

tacacs-server host 10.7.4.23 key 7 "09754F021046461C020731"

tacacs-server host 10.7.4.24 key 7 "09754F021046461C020731"

aaa group server tacacs+ sasTac+

    server 10.207.5.21

    server 10.207.5.22

aaa group server tacacs+ yokTac+

    server 10.7.4.22

aaa group server radius radius

On the ACS side I have cisco-av-pair=shell:roles="network admin" for the command set.

The groups in the switch are leftovers from the previous configuration; however, I can't find the setting anywhere in the old ACS version 3.3.

On Jatin Katyal's post I found the links to explain setting up the devices but the links are dead.

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted

ej

I am glad that you got it running. Thank you for posting back to the forum and letting us know that you fixed it and what you did to fix it. This information could be helpful to some other reader in the forum who will be working with these switches at some time. It is this kind of information sharing that makes the forum so helpful and valuable.

HTH

Rick

HTH

Rick

View solution in original post

6 REPLIES 6
Highlighted
Hall of Fame Guru

I am not familiar with the MDS 9124 and assume that they implement AAA in ways that are similar to other Cisco devices and offer these comments based on that assumption.

You define 2 TACACS server groups but make use of only 1 in what is posted. Perhaps you could post the output of

show run | include yokTac

this would help us see if it is used in some way.

Also your configuration has 5 servers configured but only 2 of them are in the group that is being used. Perhaps you could post the output of

show run | include tacacs

this would help us see if other servers are used in some way.

Can you tell us whether the ACS servers at 10.207.5.21 and .22 have configured to recognize the 9124 as a client?

Is there IP connectivity between the 9124 and the ACS servers? (can the switch ping both servers and can each server ping the switch is a good place to start)

HTH

Rick

HTH

Rick
Highlighted

Here is the output

FiberA# sho run | include aaa

aaa group server tacacs+ sasTac+

aaa group server tacacs+ yokTac+

aaa group server radius radius

aaa authentication login default group sasTac+

aaa accounting default group sasTac+

FiberA# sho run | include tacacs

feature tacacs+

tacacs-server key 7 "key"

tacacs-server host "IP address server new 5.4" key 7 "key"

tacacs-server host "IP address server old 3.3" key 7 "key"

tacacs-server host "IP address server old 3.3" key 7 "key"

tacacs-server host "IP address server new 5.4" key 7 "key"

tacacs-server host "IP address server new 5.4"key 7 "key"

aaa group server tacacs+ sasTac+

aaa group server tacacs+ yokTac+

FiberA# sho run | include aaa
aaa group server tacacs+ sasTac+
aaa group server tacacs+ yokTac+
aaa group server radius radius
aaa authentication login default group sasTac+
aaa accounting default group sasTac+

FiberA# sho run | include yokTac

aaa group server tacacs+ yokTac+ FiberA# sho run | include yokTac
aaa group server tacacs+ yokTac+

Pinging between the switches and the ACS devices is good in both directions.

There are 2 old 3.3V models and 2 new 5.4 V models.

The yokTac+ nor the sasTac+ group configuration is no where to be found in the older ACS 3.3V server.

I see the settings for the cisco-av-pair command set but nothing with either of those group names.

When I began the process of modifying these switches to work with the new ACS I was given the impression they were Nexus 7000 units. Working on that I found settings AAA settings different from what I put in my 3750's and 6509's.

After clearing up that issue and finding out these are MDS 9124s I found these switches have still disimlar settings to the Nexus 7000 which is on a newer IOS.

ej

Highlighted

ej

Thanks for the additional information. The output does confirm that there are entries in the configuration that are not being used. My suggestion is to remove the server entries that are not being used (all of the tacacs server entries other than  server 10.207.5.21 and  server 10.207.5.22  and aaa group server tacacs+ sasTac+).

Also the answer about whether the servers at 10.207.5.21 and .22 have configuration that recognizes the switch as a valid client would be quite helpful.

HTH

Rick

HTH

Rick
Highlighted

Well I'm much closer now.

I whittled the AAA config in the switch down to the bare settings and changed what I had in the ACS.

Instead of a new seperate configuration I lumped it in with an existing one for 3750 devices.

So now the ACS is seeing when I attempt to login using my AD username/password; however, the error thrown up is "Possibly a missmatched secret key"

I have checked the keys in my other devices and have used the same.

When I check the keys in the MDS the configuration line is different.

It reads tacacs-server host "IPADDRESS" key 7 "keyname", rather than keyname without the double quotes.

I tried setting the secret key in non encrypted format but that doesn't change anything.

I'll have to see how secret keys are done on this switch.

ej

Highlighted

Well I got running.

I found that the secret keys on the MDS don't like special characters except for the $ and one other key.

I modified our key to be in line with this requirement.

On the ACS I made duplicate of a device group and put that key in for the TACACS.

On the FC switch I used the global tacacs-server key 7 keyname to set the global key.

I removed the key's associated to the servers and it now allows access using the AD information.

I noticed that if you attempt to use the secret key in line with the server, so each server has its own key associated, the system doesn't encrypt it but just puts double quotes around it.

aaa group server tacacs+

aaa group server tacacs+

aaa group server radius radius

aaa authentication login default group

feature tacacs+

tacacs-server key 7

tacacs-server host 10.7.4.22 key 7

tacacs-server host 10.207.5.21 key 7

tacacs-server host 10.207.5.22 key 7

tacacs-server host 10.7.4.23

tacacs-server host 10.7.4.24

aaa group server tacacs+

aaa group server tacacs+

copy running-config startup-config

Highlighted

ej

I am glad that you got it running. Thank you for posting back to the forum and letting us know that you fixed it and what you did to fix it. This information could be helpful to some other reader in the forum who will be working with these switches at some time. It is this kind of information sharing that makes the forum so helpful and valuable.

HTH

Rick

HTH

Rick

View solution in original post