cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

1074
Views
5
Helpful
1
Replies
Sergio Arroyo
Beginner

Tacacs do not function in Nexus 5000

Dear

For some reason, the tacacs not work on my nexus 5000.

This is the settings:


feature tacacs+

logging level tacacs 5

tacacs-server key 7 "clave"

ip tacacs source-interface Vlanx

tacacs-server host x.x.x.x                          >>> with this host works tacacs+

tacacs-server host x.x.x.x key 7 "clave"  >>> with this host does not work the tacacs+

aaa group server tacacs+ TACSERVER

    server x.x.x.x

    server x.x.x.x

    source-interface Vlanx

!

aaa authentication login default group TACSERVER

aaa authentication login error-enable

tacacs-server directed-request

These are the tests I've done to validate the configuration without success:

Nexus# test aaa server tacacs+ x.x.x.x user pass

error authenticating to server

7

Nexus# 2013 Aug  6 12:45:38 NITE4 %TACACS-3-TACACS_ERROR_MESSAGE: received bad authentication packet from x.x.x.x

NITE4# test aaa group TACSERVER user pass

user has failed authentication

The strange thing is that the other host is configured runs smoothly.

tacacs + the application is on a linux server has the following version:

tac_plus  version F5.0.0a1

The problem is very strange.

I need help.

Best regards

1 REPLY 1
Sam Hertica
Cisco Employee

Hi Sergio,

It sounds like a shared secret mismatch between your server and the device. Since TACACS+ encrypts the entire packet, if the shared secret is off then each device recieves garble for their "communication"

I would check to make sure the shared secrets match. What could be the issue is the command

tacacs-server host x.x.x.x key 7 "clave" 

the 'key 7' bit indicates that a previously hashed password will be put here. I would use the

tacacs-server host x.x.x.x key 0 clave

If clave is your shared secret.

Content for Community-Ad