Solved: Nexus N7K AAA 7 TACACS+ Configurations are not working

Ahmed Ashfaque · ‎09-05-2016

Good Day All,

I have configured tacacs+ & aaa configuration on my nexus but it is not working anyonen can advice with expert opinion?? below are configs done:

AAA Configurations

===============

HQ-N7K-2# sh running-config aaa

aaa authentication login default group PACI-TACACS
aaa authentication login console local
aaa authorization config-commands default group PACI-TACACS local
aaa authorization commands default group PACI-TACACS local
aaa accounting default group PACI-TACACS
no aaa user default-role
tacacs-server directed-request

TACACS+ Configurations

====================

HQ-N7K-2# sh running-config tacacs+

feature tacacs+

tacacs+ distribute
ip tacacs source-interface mgmt0
tacacs-server host 172.10.1.100 key 7 "paci@XXX"
tacacs+ commit
aaa group server tacacs+ PACI-TACACS
server 172.10.1.100
use-vrf management
source-interface mgmt0

Connectivity towards ACS Server

=========================

HQ-N7K-2# ping 172.10.1.100 source 172.17.1.114 vrf management
PING 172.17.1.100 (172.17.1.100) from 172.17.1.114: 56 data bytes
64 bytes from 172.10.1.100: icmp_seq=0 ttl=63 time=1.258 ms
64 bytes from 172.10.1.100: icmp_seq=1 ttl=63 time=1.154 ms
64 bytes from 172.10.1.100: icmp_seq=2 ttl=63 time=1.186 ms
64 bytes from 172.10.1.100: icmp_seq=3 ttl=63 time=1.349 ms
64 bytes from 172.10.1.100: icmp_seq=4 ttl=63 time=1.226 ms

Port (49) testing towards ACS

=======================

HQ-N7K-2# telnet 172.10.1.100 49 source 172.17.1.114 vrf management
Trying 172.10.1.100...
Connected to 172.10.1.100.
Escape character is '^]'.
Connection closed by foreign host.

but on testing I am getting this.

HQ-N7K-2# test aaa group PACI-TACACS aashfaque 12345698
error authenticating to server, status=7

Please advice if you see any issue in configs....

Regards,

Ahmed Ashfaque · ‎09-12-2016

Step 1 was already there, Step 2 I added IP of Nexus with tacacs key & Step 3 Pls see attached.

Many thanks for support.

Regards,

View solution in original post

Gagandeep Singh · ‎09-12-2016

Hi,

As you have used command authorization on Nexus.

Are you pushing privilege 15 from Nexus with command set full access.

Could you please confirm.

Regards

Gagan

Ahmed Ashfaque · ‎09-12-2016

Thanks Bro,

I have config below command:

username admin password 5 $1$O8eLTVET$QbHdUsawG6Lv7hIdIT29m1 role network-admin

Else tell me output you are priorlly looking for?

Regards,

Gagandeep Singh · ‎09-12-2016

Hi Ahmed,

I am looking for shell profile and command set configured on tacacs server for Nexus.

Please get both screen shots :

Cisco Secure ACS

Policy Elements >

... >

Authorization and Permissions >

Device Administration >

Shell Profiles

Cisco Secure ACS

Policy Elements >

... >

Authorization and Permissions >

Device Administration >

Command Sets

Regards

Gagan

Ahmed Ashfaque · ‎09-12-2016

Good Day,

Gagan pls see attached and advice if you need any thing else to cross verify..

Thanks.

Gagandeep Singh · ‎09-12-2016

Hi Ahmed,

Firstly, Try to reset the shared secret configured on both Nexus and ACS. Remove tacacs commit and distribute for testing.

On Nexus

tacacs-server host 172.10.1.100 key 7 "paci@XXX"

On ACS

Network resources > Network devices > look for nexus IP.

Then click on tacacs and change the key.

Secondly,

please share screenshot of rule created on Authorization.

Under Access policy > Default device administration

Let me know identity group and authorization rule in use.

Regards

Gagan

Ahmed Ashfaque · ‎09-12-2016

Step 1 was already there, Step 2 I added IP of Nexus with tacacs key & Step 3 Pls see attached.

Many thanks for support.

Regards,

Gagandeep Singh · ‎09-13-2016

Hi Ahmed,

I would suggest in this case to remove aaa commands and tacacs group from Nexus

Do it from scratch.

!--- Enable TACACS+ on the device.

feature tacacs+

tacacs-server host 10.0.0.1 key 7 Cisco

tacacs-server host 10.0.0.2 key 7 Cisco

tacacs-server directed-request

!--- Provide the name of your ACS server.

aaa group server tacacs+ ACS

!--- Mention the IP address of the tacacs-servers

server 10.0.0.1

server 10.0.0.2

use-vrf management

source-interface mgmt0

—Commands to check the Tacacs or Radius configuration & command to test the aaa server group.

> Command: show running-config tacacs+ all

> Test the TACACS server availability:

test aaa group group-name username password

Create user and define AAA client as Nexus in ACS

then test it again. If user is authenticating then only put aaa commands.

If request not reaching then do # ping 10.25.32.80 vrf management

—You can enable following debugs to check rest of the issues:

—Debug aaa all

—Debug tacacs+ all

—Debug radius all

Regards

Gagan

PS: rate if it helps!!!!

Gagandeep Singh · ‎09-14-2016

Hey Ahmed,

Did you try the action plan provided.

Regards

Gagan

PS: rate if it helps!!!!

Ahmed Ashfaque · ‎09-14-2016

Hello Boss,

All the listed commands are there...it does ping to ACS (from nexus) and does telnet on port 49 too but does not authentication user.

Regards,