Nexus 1KV TACACS+ Not Working

1gtopf · ‎09-09-2011

I have been trying to get my Nexus 1KV working with AAA/TACACS+ and I'm stumped.

The short version is that I see where the issue is, but can't seem to resolve it.

When I try to log in using TACACS, it fails. The ACS server reports InvalidPassword.

The CLI on the Nexus shows:

2011 Sep 9 16:37:13 NY_nexus1000v %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond

2011 Sep 9 16:37:14 NY_nexus1000v %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user gtopf from 192.168.20.151 - sshd[15675]
2011 Sep 9 16:37:23 NY_nexus1000v %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user gtopf from 192.168.20.151 - sshd[15672]

And an AAA test from the nexus fails.

I have good connectivity between the two boxes, I can ping, and obviously the failed login showing on ACS shows that it's talking, but it's just not working.

My config is below (omitted ethernet port configs)

!Command: show running-config
!Time: Fri Sep 9 16:45:49 2011

version 4.2(1)SV1(4a)
no feature telnet
feature tacacs+
feature lacp

username admin password 5 $1$Q50UpgN/$4eu39QmZHLTf3FAkwwdOF1 role network-admin

banner motd #Nexus 1000v Switch#

ssh key rsa 2048
ip domain-lookup
ip domain-lookup
ip name-server 192.168.20.10
tacacs-server timeout 30
tacacs-server host 192.168.20.30 key 7 "j3gp0"
aaa group server tacacs+ TacServer
    server 192.168.20.30
    deadtime 15
    use-vrf management
    source-interface mgmt0
hostname NY_nexus1000v
ntp server 192.168.20.10
aaa authentication login default group TacServer
aaa authentication login console group TacServer
aaa authentication login error-enable
tacacs-server directed-request

vrf context management
ip route 0.0.0.0/0 192.168.240.1
vlan 1,20,40,240
lacp offload
port-channel load-balance ethernet source-mac
port-profile default max-ports 32
port-profile type ethernet Unused_Or_Quarantine_Uplink
vmware port-group
shutdown
description Port-group created for Nexus1000V internal usage. Do not use.
state enabled
port-profile type vethernet Unused_Or_Quarantine_Veth
vmware port-group
shutdown
description Port-group created for Nexus1000V internal usage. Do not use.
state enabled
port-profile type ethernet system-uplink
vmware port-group
switchport mode trunk
switchport trunk allowed vlan 20,40,240
channel-group auto mode active
no shutdown
system vlan 240
description "System profile for critical ports"
state enabled
port-profile type vethernet data20
vmware port-group
switchport mode access
switchport access vlan 20
no shutdown
description "Data profile for VM traffic 20 VLAN"
state enabled
port-profile type vethernet data40
vmware port-group
switchport mode access
switchport access vlan 40
no shutdown
description "Data profile for VM traffic 40 VLAN"
state enabled
port-profile type vethernet data240
vmware port-group
switchport mode access
switchport access vlan 240
no shutdown
description "Data profile for VM traffic 240 VLAN"
state enabled
port-profile type vethernet system-upilnk
description "Uplink profile for VM traffic"

vdc NY_nexus1000v id 1
limit-resource vlan minimum 16 maximum 2049
limit-resource monitor-session minimum 0 maximum 2
limit-resource vrf minimum 16 maximum 8192
limit-resource port-channel minimum 0 maximum 768
limit-resource u4route-mem minimum 32 maximum 32
limit-resource u6route-mem minimum 16 maximum 16
limit-resource m4route-mem minimum 58 maximum 58
limit-resource m6route-mem minimum 8 maximum 8

interface port-channel1
inherit port-profile system-uplink
vem 3

interface port-channel2
inherit port-profile system-uplink
vem 4

interface port-channel3
inherit port-profile system-uplink
vem 5

interface port-channel4
inherit port-profile system-uplink
vem 6

interface mgmt0
ip address 192.168.240.10/24

interface control0
line console
boot kickstart bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.4a.bin sup-1
boot system bootflash:/nexus-1000v-mz.4.2.1.SV1.4a.bin sup-1
boot kickstart bootflash:/nexus-1000v-kickstart-mz.4.2.1.SV1.4a.bin sup-2
boot system bootflash:/nexus-1000v-mz.4.2.1.SV1.4a.bin sup-2
svs-domain
domain id 500
control vlan 240
packet vlan 240
svs mode L2
svs connection vcenter
protocol vmware-vim
remote ip address 192.168.20.127 port 80
vmware dvs uuid "52 8b 1d 50 44 9d d7 1f-b6 25 76 f1 f7 97 d8 5e" datacenter-name 28th St Datacenter
max-ports 8192
connect
vsn type vsg global
tcp state-checks
vnm-policy-agent
registration-ip 0.0.0.0
shared-secret **********
log-level

CARL LINDAHL · ‎09-14-2011

Curious. Under

interface mgmt0

ip address 192.168.240.10/24

Can you add "vrf member management" to the interface mgmt0?

Ruhann Du Plessis · ‎09-27-2011

add the following to you config:

aaa authentication login ascii-authentication

hth

pmchandler · ‎01-09-2012

FYI...

I was able to get TACACS+ auth working using the commands in the Original Post (without the two additional suggestions) as follows...

1000v# conf t

1000v(config)# feature tacacs+

1000v(config)# tacacs-server host 192.168.1.1 key 0

1000v(config)# aaa group server tacacs+ TacServer

1000v(config-tacacs+)# server 192.168.1.1

1000v(config-tacacs+)# use-vrf management

1000v(config-tacacs+)# source-interface mgmt 0

1000v(config-tacacs+)# aaa authentication login default group TacServer local

1000v(config)# aaa authentication login error-enable

1000v(config)# tacacs-server directed-request

I guess the OP had some other problem (perhaps incorrect shared secret??)

Michael Holder · ‎07-19-2012

I had a similiar issue with a Nexus 5020 authenticating our Ciscoworks account and giving the illegal user log message. Other users were connecting fine.

Debugs showed TACACS failing to resolve the Ciscowrks servers hostname in a reverse lookup.

I removed the ip domain lookup and name-server from the config, and was able to connect.