I am facing issues with Tacacs authentication on Nexus4001L switch. I have configured AAA and tacacs server details on Nexus4001l switch side but tacacs authentication is not working. AAA server is configured with correct details but due to some reasons we are not able to authenticate.
Below mentioned is configuration done on nexus4001L switch side.
aaa authentication login default group ACS
aaa accounting default group ACS
aaa group server tacacs+ ACS
tacacs-server key 7 "BBBB"
tacacs-server host x.x.x.x key 7 "BBBB"
tacacs-server host y.y.y.y key 7 "BBBB"
Error logs from 4001l switch
2011 Feb 4 03:24:10 XXXXXXXXsw05 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user admin from x.x.x.x - login
2011 Feb 4 03:24:25 XXXXXXXXsw05 %AUTHPRIV-3-SYSTEM_MSG: Unable to create temporary user mahi. Error 0x404a0041 - login
2011 Feb 4 03:24:25 XXXXXXXXsw05 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user mahi from x.x.x.x - login[1417
2011 Feb 4 03:24:35 XXXXXXXXsw05 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user admin from x.x.x.x - login
2011 Feb 4 03:25:15 XXXXXXXXsw05 %DAEMON-3-SYSTEM_MSG: Unable to create temporary user mahi. Error 0x404a0041 - sshd
2011 Feb 4 03:25:15 XXXXXXXXsw05 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user mahi from z.z.z.z - sshd
2011 Feb 4 03:25:16 XXXXXXXXsw05 %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user mahi from z.z.z.z -
Error logs from AAA server
2/22/2011 22:11:25 Authen failed Mahi -Priv15-ReadNAR X>X>X>X> (Default) CS password invalid 0 ABC
2/22/2011 22:11:28 Authen failed Mahi -Priv15-ReadNAR X>X>X>X> (Default) CS password invalid 0 ABC
2/22/2011 22:11:44 Authen failed Mahi -Priv15-ReadNAR X>X>X>X> (Default) CS password invalid 0 ABC
Please let me know, if you find any clue for this issue?
Are you able to login in to other Cisco devices with your credentials? Your switch configuration looks ok to me. I have following configuration(I use mgm0 to access the switch and hence specifying the vrf) and I can authenticate fine.
N4k-Top# sh run aaa
logging level aaa 5
aaa authentication login default group rtp-dc-sw
aaa authentication login console local
aaa accounting default group rtp-dc-sw
N4k-Top# sh run tacacs+
tacacs-server host x.x.x.x key 7 "xxxxxx"
aaa group server tacacs+ rtp-dc-sw
aaa group server tacacs+ tacacs
Thanks for the reply.
I am using the same configuration which you are using but Tacacs authentication is not working for these Nexus4001l switches. I also have other nexus switches Nexus7010, Nexus5020 - all other nexus are working fine with tacacs access but only issue with nexus4001l switch.
I verify that Nexus4001l do not support command mentioned below.
ip tacacs source-interface vlanX
so i think it can support only management port or ethernet port with IP for tacacs authentication and can not use layer3 vlan for tacacs authetication. please correct me if I am wrong.
Can you also tell me version of AAA server you are using .. which could also be a issue i think.
Thanks for replying in advance..
Just quick question, Are you using TACACS+ Cisco ACS for authentication. If so, have you enabled the advanced features and also cisco-avpair?
Thansk for the reply. Can you specify in detail which advanced feature need to be enabled in Cisco ACS for 4001l authentication to work?
I also want to mention that we also have Nexus5020 tacacs authentication working fine with same ACS server. Do Nexus5020 and Nexus4001l tacacs working is different?
Thanks in advance
Can you also confirm the code you are running in Nexus4001l switches as well if your tacacs ID starts with a number? It seems there is also a bug if the tacacs ID starts with a number, tacacs authentication ll not work in these switches.
Thanks in advance
We have encountered similar problem at Nexus 4005 with 4.1(2)E1(1f).
In our case users are autenticated in TACACS server which use AD domain credentials to authenticate a user (domain users). For some users authentication works well, for the others not - authentication works only if user uses capital letters instead of normal letters. With normal letters we get a message:
%DAEMON-3-SYSTEM_MSG: Unable to create temporary user domain\user.A Error 0x404a000a usermod: user domain\user.A does not exist - sshd
On a switch we also receive syslog messages:
%USER-3-SYSTEM_MSG: user delete failed for domain\user.A:userdel: user domain\user.A does not exist - securityd
It is even more strange because at the beggining authentication using TACACS worked well (all users were able to authenticate) and after some time this strange behavior has happened. There wasn't any reconfiguration of nexus 4k, tacacs, any NX-OS upgrades etc. Reboot of the switch did not help.
On other platforms (Nexus 5500, IOS routers/switches) it works well without any combinations with capital letters.
Have you already solved this problem?
Yes the issue was solved.
There are some restrictions on usernames for logging in the N4k switch. pasted below the restrcition and it is from Cisco Nexus4001l configuration guide.
I hope it helps.
From the configuration pasted :
aaa authentication login default group ACS local
aaa authorization console
aaa authentication login NO_AUTHEN none
This means that the default authentication login is used the ACS group, so there is no need to use "login auth" on the line.
But if he used "login auth NO_AUTHEN" on the line con 0 , then he can get via the console line without any authentication.
Another issue via console with this will be authorization, which by default is via ACS, so there will be the need of :
authorization exec NO_AUTHOR
Could you check the logs from the ACS, even though the 1841's logs are straigh forward :
"10.60.12.88/49 failed -- Connection timed out; remote host not responding"