Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1656
Views
0
Helpful
5
Replies

Cisco Nexus 1000v + aaa

Petr Nagernyuk
Level 1
Level 1

‎06-30-2011 03:26 AM - edited ‎03-01-2019 06:58 AM

Hello!

Could you please help with the my problem....

I have the Nexus 1000v configured for tacacs authentication:

nexus(config)# tacacs-server host A.B.C.D key *****

nexus(config)# aaa group server tacacs+ TacServer

nexus(config-tacacs+)# server A.B.C.D

Testing of the tacacs+ authentication succeeded only whith the following:

nexus(config)# test aaa server tacacs+ A.B.C.D login password

.......user has been authenticated........

But when when I try to issue that command there is the problem:

nexus(config)# test aaa group TacServer login password

.......error authenticating to server........

And debug said:

nexus(config)# aaa: sg_protocol is incorrect. Retrieving it by checking group list

That is why I can not use console authentication with my tacacs (aaa authentication login console group TacServer). Seems like my nexus can not identify tacacs-server inside server group.

Labels:
0 Helpful
5 Replies 5

Ruhann Du Plessis
Level 1
Level 1

‎06-30-2011 03:45 AM

How do you reach the tacacs server? via the Mg0 or inline interfaces?

Did you specify the VRF and source interface in the tacacs group:

aaa group server tacacs+ TacServer
    use-vrf management
    source-interface mgmt0

hth

0 Helpful

Petr Nagernyuk
Level 1
Level 1
In response to Ruhann Du Plessis

‎06-30-2011 04:46 AM

Thanks! Now it works!

But why does this configuration begin working only after "user-vrf management" command?

0 Helpful

Ruhann Du Plessis
Level 1
Level 1
In response to Petr Nagernyuk

‎06-30-2011 05:01 AM

All ethernet interface on the Nexus belong to the Default VRF, and the Mgmt0 belongs to the Management VRF.

For this reason any control traffic must be specified to use the Mgmt0 interface and the Management VRF as a source, unless you want to use the inline ethernet interfaces for your control traffic.

hth

0 Helpful

Petr Nagernyuk
Level 1
Level 1
In response to Ruhann Du Plessis

‎06-30-2011 05:54 AM

In the Nexus 1000v config guide "user-vrf" command is named as "optional". Also given tacacs configuration example have no this command.

And that fact confused me...

Thank you once again!

0 Helpful

Ruhann Du Plessis
Level 1
Level 1
In response to Petr Nagernyuk

‎06-30-2011 06:13 AM

Its not required, but that depends how your network is setup.

Most people will use the out-of-band for management traffic, so the defaults here IMO is swapped around.

Glad to have helped

0 Helpful
Customers Also Viewed These Support Documents