cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1863
Views
0
Helpful
8
Replies

Tacacs+ authentication and authorization fail with NXOS

2004anand
Level 1
Level 1

I am trying to configure TACACS+ authentication and authorization for NX-OS (Nexus 7706)  7.3(0)DX(1)

Configuration on Nexus's are the following :

aaa group server tacacs+ tac
aaa authentication login default group tac none
aaa authorization config-commands default group tac

feature tacacs+
tacacs-server key 7 "UE9Pp40o"
tacacs-server host 172.19.X.X key 7 "UE9Pp40o"
aaa group server tacacs+ tac

Error: AAA authorization failed for command:aaa group server tacacs+ tac, AAA_AUTHOR_STATUS_METHOD=17(0x11)

%TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond

8 Replies 8

mpellegrino12
Level 1
Level 1

Under the "aaa group server tacacs+ tac" have "server 172.19.X.X" So should be:

(config)# aaa group server tacacs+ tac
(config-tacacs+)# server 172.19.X.X

Thanks for reply mpellegrino

I have done below changes, still having problem persist. 

aaa group server tacacs+ tac
server 172.19.X.X, 

Please let me know if any additional information required. 

What are you using for authentication, ACS? If so, did you add the IP of the N7K.

This should be all you need for the config, if it doesn't work then leads me to believe its something outside the nexus. You shouldn't need the "tacacs-server key 7 "UE9Pp40o" command

aaa group server tacacs+ tac
aaa authentication login default group tac none
aaa authorization config-commands default group tac

feature tacacs+
tacacs-server host 172.19.X.X key 7 "UE9Pp40o"
aaa group server tacacs+ tac
   server 172.19.X.X

** Also use the "debug tacacs+ all" command and check the logs

One more thing I had a customer that had latency issues across the WAN between his N7K and aaa server. Had to use the following command to get it working

tacacs-server directed request

I am getting below error, when applying command "tacacs-server directed-request"

Error: AAA authorization failed for command:tacacs-server directed-request, AAA_AUTHOR_STATUS_METHOD=17(0x11)

This is a permissions issue. What are you using for authorization?

I am trying with vdc-admin

I have attached debug log, Kindly let me know any more information required 

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: