Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1762
Views
0
Helpful
1
Replies

Nexus 5010 unable to authenticate using tacacs+

tf2-conky
Level 1
Level 1

‎07-14-2010 11:10 PM - edited ‎03-06-2019 12:01 PM

I'm having some problems trying to get tacacs authentication/ authorization working with my Nexus 5010 version 4.1(3)N2(1)

Would someone mind sanity checking my config?  I've included the logs from the nexus, and the logs from the tacacs server.  The tacacs server is working fine, and authenticates other cisco ios based devices.

## sw02-5k

aaa authentication login default group test-tac
aaa authorization config-commands default group test-tac local
aaa authorization commands default group test-tac local
aaa accounting default group test-tac
aaa authentication login error-enable


aaa group server tacacs+ test-tac
    server 192.168.20.2
    use-vrf management

tacacs-server host 192.168.20.2 key 7 "***********"

interface mgmt0
  vrf member management
  ip address 192.168.20.201/24

vrf context management
  ip route 0.0.0.0/0 192.168.20.254

sw02-5k#sh log

2010 Jul 15 05:44:00 sw02-5k %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user test01 from 192.168.20.1 - login[18226]


sw02-5k# ping 192.168.20.2 vrf management
PING 192.168.20.2 (192.168.20.2): 56 data bytes
64 bytes from 192.168.20.2: icmp_seq=0 ttl=63 time=21.983 ms
64 bytes from 192.168.20.2: icmp_seq=1 ttl=63 time=2.926 ms
64 bytes from 192.168.20.2: icmp_seq=2 ttl=63 time=2.793 ms
64 bytes from 192.168.20.2: icmp_seq=3 ttl=63 time=3.109 ms
64 bytes from 192.168.20.2: icmp_seq=4 ttl=63 time=3.127 ms

--- 192.168.20.2 ping statistics ---
5 packets transmitted, 5 packets received, 0.00% packet loss
round-trip min/avg/max = 2.793/6.787/21.983 ms

anon@blah:~#tail -f /var/log/tac-plus.log

Thu Jul 15 17:42:28 2010 [19797]: cfg_get_phvalue: returns NULL
Thu Jul 15 17:42:28 2010 [19797]: cfg_get_value: name=test01 isuser=1 attr=pap rec=1
Thu Jul 15 17:42:28 2010 [19797]: cfg_get_pvalue: returns NULL
Thu Jul 15 17:42:28 2010 [19797]: cfg_get_value: name=test01 isuser=1 attr=global rec=1
Thu Jul 15 17:42:28 2010 [19797]: cfg_get_pvalue: returns NULL
Thu Jul 15 17:42:28 2010 [19797]: pap-login query for 'test01' 3015 from 192.168.20.201 rejected
Thu Jul 15 17:42:28 2010 [19797]: login failure: test01 192.168.20.201 (192.168.20.201) 3015
Thu Jul 15 17:42:28 2010 [19797]: cfg_get_hvalue: name=192.168.20.201 attr=key
Thu Jul 15 17:42:28 2010 [19797]: cfg_get_hvalue: no host named 192.168.20.201
Thu Jul 15 17:42:28 2010 [19797]: cfg_get_phvalue: returns NULL

Labels:
0 Helpful
1 Reply 1

Richard Burts
Hall of Fame
Hall of Fame

‎07-20-2010 05:32 PM

I do not have much experience with Nexus, but assuming that it is similar to other IOS I will give it a shot.

Your config looks ok to me.

I do notice that your config says that the authentication server is at 192.168.20.2 but that is not the address mentioned in the log error message - Authentication failed for user test01 from 192.168.20.1

Is there a debug for aaa authentication in Nexus similar to what is available in IOS? If so it might be worth running the debug and trying again to login.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card