Thanks Bro,

I have config below command:

username admin password 5 $1$O8eLTVET$QbHdUsawG6Lv7hIdIT29m1  role network-admin

Else tell me output you are priorlly looking for?

Regards, 

Hi Ahmed,

I am looking for shell profile and command set configured on tacacs server for Nexus.

Please get both screen shots :

Cisco Secure ACS

Cisco Secure ACS

Regards

Gagan

Good Day,

Gagan pls see attached and advice if you need any thing else to cross verify..

Thanks. 

Hi Ahmed,

Firstly, Try to reset the shared secret configured on both Nexus and ACS. Remove tacacs commit and distribute for testing.

On Nexus

tacacs-server host 172.10.1.100 key 7 "paci@XXX"

On ACS

Network resources > Network devices > look for nexus IP.

Then click on tacacs and change the key.

Secondly,

please share screenshot of rule created on Authorization.

Under Access policy > Default device administration 

Let me know identity group and authorization rule in use.

Regards

Gagan

Hi Ahmed,

I would suggest in this case to remove aaa commands and tacacs group from Nexus

Do it from scratch.

!--- Enable TACACS+ on the device.

feature tacacs+

tacacs-server host 10.0.0.1 key 7 Cisco

tacacs-server host 10.0.0.2 key 7 Cisco

tacacs-server directed-request

!--- Provide the name of your ACS server.

aaa group server tacacs+ ACS

!--- Mention the IP address of the tacacs-servers

 server 10.0.0.1

 server 10.0.0.2

use-vrf management

source-interface mgmt0

—Commands to check the Tacacs or Radius configuration & command to test the aaa server group.

> Command: show running-config tacacs+ all

> Test the TACACS server availability:

    test aaa group group-name username password

Create user and define AAA client as Nexus in ACS 

then test it again. If user is authenticating then only put aaa commands.

If request  not reaching then do # ping 10.25.32.80 vrf management

—You can enable following debugs to check rest of the issues:

—Debug aaa all

—Debug tacacs+ all

—Debug radius all

Regards

Gagan

PS: rate if it helps!!!!

Hey Ahmed,

Did you try the action plan provided.

Regards

Gagan

PS: rate if it helps!!!!

Hello Boss, 

All the listed commands are there...it does ping to ACS (from nexus) and does telnet on port 49 too but does not authentication user.

Regards, 

If you can share the configuration made on ACS for Nexus.

Did you see in error in ACS reporting.

Good Day, 

Please see below I have done the following configs 

aaa authentication login default group PACI-TACACS
aaa authentication login console local
aaa authorization config-commands default group PACI-TACACS local
aaa authorization commands default group PACI-TACACS local
aaa accounting default group PACI-TACACS
no aaa user default-role
tacacs-server directed-request

tacacs+ distribute
ip tacacs source-interface mgmt0
tacacs-server host 172.17.1.100 key 7 "paci@XXXX"
tacacs+ commit
aaa group server tacacs+ PACI-TACACS
server 172.17.1.100
use-vrf management
source-interface mgmt0

HQ-N7K-2# ping 172.17.1.100 vrf management source 172.17.1.114
PING 172.17.1.100 (172.17.1.100) from 172.17.1.114: 56 data bytes
64 bytes from 172.17.1.100: icmp_seq=0 ttl=63 time=1.09 ms
64 bytes from 172.17.1.100: icmp_seq=1 ttl=63 time=0.982 ms
64 bytes from 172.17.1.100: icmp_seq=2 ttl=63 time=0.849 ms
64 bytes from 172.17.1.100: icmp_seq=3 ttl=63 time=0.972 ms
64 bytes from 172.17.1.100: icmp_seq=4 ttl=63 time=0.854 ms

--- 172.17.1.100 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 0.849/0.949/1.09 m

HQ-N7K-2# telnet 172.17.1.100 49 vrf management
Trying 172.17.1.100...
Connected to 172.17.1.100.
Escape character is '^]'

Thanks for support...Regards, 

Hi Ahmed,

I would suggest to remove all AAA commands from Nexus.

Then just configure tacacs server group.Test user with test command. Still if it error occurs.

Then open up TAC case further troubleshooting. Probably someone has to look into the Nexus and ACS through remote session.

Rate it if it helps!!!!!

Regards

Gagan

Hello Gagan,

Thanks for help and support, it was really nice to have you on board. Problem has been solved, we open case with Cisco TAC and we find below as the command 

tacacs-server host 172.10.1.100 key 7 "paci@XXX"

should be 

tacacs-server host 172.10.1.100 key 0 "paci@XXX"

 because of this ACS was getting bad packet format and was not replying...rest all were same...

Thanks again. 

Regards,

It was nice working with you Ahmed...

Regards

Gagan