02-15-2010 08:44 AM - edited 03-10-2019 04:57 PM
I have a very strange problem. I set up tacacs on two Nexus 5000 switches with exactly the same tacacs, aaa config (see below). N01 is working fine but N02 has problems in Authorization. I am able to authenticate into N02 but can use only a few commands, whereas N01 has the full set of commands available.
I see error messages in the log (see bottom).
ked1.dcacc.n02(config)# ?
end Go to exec mode
exit Exit from command interpreter
no Negate a command or set its defaults
username Configure user information.
ked1.dcacc.n02# sho run aaa
version 4.1(3)N2(1)
aaa authentication login default group tacacs local
aaa authorization config-commands default group tacacs local
aaa authorization commands default group tacacs local
aaa accounting default group tacacs local
aaa authentication login error-enable
ked1.dcacc.n02# sho run tacacs
version 4.1(3)N2(1)
feature tacacs+
tacacs-server host 167.54.254.113 key 7 .....
ip tacacs source-interface Vlan2
aaa group server tacacs+ tacacs
server 167.54.254.113
source-interface Vlan2
- Comparing CONFIG with ked1.dcacc.n01:
ked1.dcacc.n01# sho run tacacs
version 4.1(3)N2(1)
feature tacacs+
tacacs-server host 167.54.254.113 key 7 .....
ip tacacs source-interface Vlan2
aaa group server tacacs+ tacacs
server 167.54.254.113
source-interface Vlan2
ked1.dcacc.n01# sho run aaa
version 4.1(3)N2(1)
aaa authentication login default group tacacs local
aaa authorization config-commands default group tacacs local
aaa authorization commands default group tacacs local
aaa accounting default group tacacs local
aaa authentication login error-enable
ked1.dcacc.n02# sho log last 10
2010 Feb 12 13:55:13.697 ked1.dcacc.n02 %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond
2010 Feb 12 13:56:14.975 ked1.dcacc.n02 %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond
2010 Feb 12 13:56:14.975 ked1.dcacc.n02 %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by khwajan on 167.54.254.2@pt
s/0
2010 Feb 12 13:56:14.987 ked1.dcacc.n02 9836]: CLIC-6-EXIT_CONFIG: Configured from 0 by systest
2010 Feb 12 13:56:15.087 ked1.dcacc.n02 snmpd: snmpd: send_trap: Failure in sendto (No route to host)
2010 Feb 12 13:56:15.088 ked1.dcacc.n02 snmpd: snmpd: send_trap: Failure in sendto (No route to host)
2010 Feb 12 13:56:15.088 ked1.dcacc.n02 snmpd: NETWORK- UNREACHABLE
2010 Feb 12 14:01:22.771 ked1.dcacc.n02 %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond
2010 Feb 12 14:01:34 ked1.dcacc.n02 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user admin from 172.19.1.
3 - login[9969]
2010 Feb 12 14:01:50.349 ked1.dcacc.n02 %TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond
2. Both N01 and N02 have the following message logged frequently,
%TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond
3. Our tacacs server is V3.0
02-16-2010 12:20 AM
Hi,
As per the logs if request is going to TACAS server and TACAS server is failed to respond mean check the services of tacas services in tacas server are flaaping or check the connectivity of tacas server from switches they are reachable or not.
hope to help
Ganesh.H
06-25-2010 03:05 AM
Hi Nusrat,
Did you found a solution for this problem?
We are having the same issue with the Nexus 5000 concerning Authorization.
Regards,
Jasper
06-25-2010 06:29 AM
no response so far.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide