cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6968
Views
10
Helpful
9
Replies

Tacacs authentication not working on Nexus4001L switch

Mohinderrawat
Level 1
Level 1

Hi All,

I am facing issues with Tacacs authentication on Nexus4001L switch. I have configured AAA and tacacs server details on Nexus4001l switch side but tacacs authentication is not working. AAA server is configured with correct details but due to some reasons we are not able to authenticate.

Below mentioned is configuration done on nexus4001L switch side.


aaa authentication login default group ACS
aaa accounting default group ACS

aaa group server tacacs+ ACS
    server x.x.x.x
    server y.y.y.y
!
tacacs-server key 7 "BBBB"
tacacs-server host x.x.x.x key 7 "BBBB"
tacacs-server host y.y.y.y key 7 "BBBB"

Error logs from 4001l switch
-----------------------------

2011 Feb  4 03:24:10 XXXXXXXXsw05 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user admin from x.x.x.x - login[1417]
2011 Feb  4 03:24:25 XXXXXXXXsw05 %AUTHPRIV-3-SYSTEM_MSG: Unable to create temporary user mahi. Error 0x404a0041  - login[1417]
2011 Feb  4 03:24:25 XXXXXXXXsw05 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user mahi from x.x.x.x - login[1417
]
2011 Feb  4 03:24:35 XXXXXXXXsw05 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user admin from x.x.x.x - login[1417]
2011 Feb  4 03:25:15 XXXXXXXXsw05 %DAEMON-3-SYSTEM_MSG: Unable to create temporary user mahi. Error 0x404a0041  - sshd[1463]
2011 Feb  4 03:25:15 XXXXXXXXsw05 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user mahi from z.z.z.z - sshd[1463]
2011 Feb  4 03:25:16 XXXXXXXXsw05 %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user mahi from z.z.z.z -

Error logs from AAA server
---------------------------
2/22/2011 22:11:25 Authen failed Mahi -Priv15-ReadNAR X>X>X>X> (Default) CS password invalid  0      ABC
2/22/2011 22:11:28 Authen failed Mahi -Priv15-ReadNAR X>X>X>X> (Default) CS password invalid  0       ABC
2/22/2011 22:11:44 Authen failed Mahi -Priv15-ReadNAR X>X>X>X> (Default) CS password invalid  0      ABC

Please let me know, if you find any clue for this issue?

Regards

Mahi

9 Replies 9

Prashanth Krishnappa
Cisco Employee
Cisco Employee

Are you able to login in to other Cisco devices with your credentials? Your switch configuration looks ok to me. I have following configuration(I use mgm0 to access the switch and hence specifying the vrf) and I can authenticate fine.

N4k-Top# sh run aaa
version 4.1(2)E1(1f)
logging level aaa 5
aaa authentication login default group rtp-dc-sw
aaa authentication login console local
aaa accounting default group rtp-dc-sw


N4k-Top# sh run tacacs+
version 4.1(2)E1(1f)
feature tacacs+

tacacs-server host x.x.x.x key 7 "xxxxxx"
aaa group server tacacs+ rtp-dc-sw
    server x.x.x.x
    use-vrf management
aaa group server tacacs+ tacacs

N4k-Top#

Hi Prkrishnan,

Thanks for the reply.

I am using the same configuration which you are using but Tacacs authentication is not working for these Nexus4001l switches. I also have other nexus switches Nexus7010, Nexus5020 - all other nexus are working fine with tacacs access but only issue with nexus4001l switch.

I verify that Nexus4001l do not support command mentioned below.

ip tacacs source-interface vlanX

so i think it can support only management port or ethernet port with IP for tacacs authentication and can not use layer3 vlan for tacacs authetication. please correct me if I am wrong.

Can you also tell me version of AAA server you are using .. which could also be a issue i think.

Thanks for replying in advance..

Regards

Mahi

Just quick question, Are you using TACACS+ Cisco ACS for authentication. If so, have you enabled the advanced features and also cisco-avpair?

Hi Mikram,

Thansk for the reply. Can you specify in detail which advanced feature need to be enabled in Cisco ACS for 4001l authentication to work?

I also want to mention that we also have Nexus5020 tacacs authentication working fine with same ACS server. Do Nexus5020 and Nexus4001l tacacs working is different?

Thanks in advance

Mahi

Hi Mikram,

Can you also confirm the code you are running in Nexus4001l switches as well if your tacacs ID starts with a number? It seems there is also a bug if the tacacs ID starts with a number, tacacs authentication ll not work in these switches.

Thanks in advance

Mahi

Hi Mahi,

We have encountered similar problem at Nexus 4005 with 4.1(2)E1(1f).

In our case users are autenticated in TACACS server which use AD domain credentials to authenticate a user (domain users). For some users authentication works well, for the others not - authentication works only if user uses capital letters instead of normal letters. With normal letters we get a message:

%DAEMON-3-SYSTEM_MSG: Unable to create temporary user domain\user.A Error 0x404a000a usermod: user domain\user.A does not exist  - sshd[23947]

On a switch we also receive syslog messages:

%USER-3-SYSTEM_MSG: user delete failed for domain\user.A:userdel: user domain\user.A does not exist  - securityd

It is even more strange because at the beggining authentication using TACACS worked well (all users were able to authenticate) and after some time this strange behavior has happened. There wasn't any reconfiguration of nexus 4k, tacacs, any NX-OS upgrades etc. Reboot of the switch did not help.

On other platforms (Nexus 5500, IOS routers/switches) it works well without any combinations with capital letters.

Have you already solved this problem?

WK

Hi Wk,

Yes the issue was solved.

There are some restrictions on usernames for logging in the N4k switch. pasted below the restrcition and it is from Cisco Nexus4001l configuration guide.

I hope it helps.

Thanks

Mahi

From the configuration pasted :

aaa authentication login default group ACS local

aaa authorization console

aaa authentication login NO_AUTHEN none

This means that the default authentication login is used the ACS group, so there is no need to use "login auth" on the line.

But if he used "login auth NO_AUTHEN" on the line con 0 , then he can get via the console line without any authentication.

Another issue via console with this will be authorization, which by default is via ACS, so there will be the need of :

authorization exec  NO_AUTHOR

Could you check the logs from the ACS, even though the 1841's logs are straigh forward :

"10.60.12.88/49 failed -- Connection timed out; remote host not responding"

shakilkhan9389
Level 1
Level 1
Hi
i got the same problem did you manage to resolve it or cleared the error messages?

thanks
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: