Nexus 7000 AAA tacacs+ issue

ckeithjones · ‎12-06-2011

I cannot get the AAA tacacs+ authentication to work on my Nexus 7000. The following is the logging error I get:

2011 Dec 7 01:17:05 MCN-CORE-D-7020 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user ctcrgrf from 172.26.32.200 - sshd[16930]

2011 Dec 7 01:17:05 MCN-CORE-D-7020 %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user ctcrgrf from 172.26.32.200 - sshd[16922]

2011 Dec 7 01:17:08 MCN-CORE-D-7020 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user ctcrgrf from 172.26.32.200 - sshd[16935]

2011 Dec 7 01:17:08 MCN-CORE-D-7020 %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user ctcrgrf from 172.26.32.200 - sshd[16922]

2011 Dec 7 01:17:08 MCN-CORE-D-7020 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user ctcrgrf from 172.26.32.200 - sshd[16936]

2011 Dec 7 01:17:08 MCN-CORE-D-7020 %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user ctcrgrf from 172.26.32.200 - sshd[16922]

2011 Dec 7 01:17:42 MCN-CORE-D-7020 %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by ncbranch on 172.26.22.20@pts/0

2011 Dec 7 01:19:46 MCN-CORE-D-7020 %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by ncbranch on 172.26.22.20@pts/0

2011 Dec 7 01:29:34 MCN-CORE-D-7020 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user ctcrsrackj from 172.26.22.20 - sshd[17316]

2011 Dec 7 01:29:34 MCN-CORE-D-7020 %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user ctcrsrackj from 172.26.22.20 - sshd[17315]

Relevant config:

MCN-CORE-D-7020# show run tacacs+

!Command: show running-config tacacs+

!Time: Wed Dec 7 01:33:42 2011

version 5.1(3)

feature tacacs+

tacacs-server key 7 "XXXXXXX"

ip tacacs source-interface mgmt0

tacacs-server timeout 60

tacacs-server host 172.26.32.200

tacacs-server host 172.25.35.9

aaa group server tacacs+ tacacs+

server 172.26.32.200

server 172.25.35.9

use-vrf management

source-interface mgmt0

All users get this same error when trying to log in. Any other switch works with that username.

Reza Sharifi · ‎12-06-2011

Can you add this command to you tacacs config and test again?

aaa authentication login default group tacacs+ tacacs+

HTH

ckeithjones · ‎12-07-2011

I forgot to put I originally had that in there. I put it back but I get the same response.

MCN-CORE-D-7020# sh run tacacs+ all

!Command: show running-config tacacs+ all

!Time: Wed Dec 7 13:21:47 2011

version 5.1(3)

feature tacacs+

tacacs-server key 7 "XXXXXXXXX"

ip tacacs source-interface mgmt0

tacacs-server test username test password test idle-time 0

tacacs-server timeout 60

tacacs-server deadtime 0

tacacs-server host 172.26.32.200 port 49

tacacs-server host 172.25.35.9 port 49

tacacs-server host 172.26.32.200 test username test password test idle-time 0

tacacs-server host 172.25.35.9 test username test password test idle-time 0

aaa group server tacacs+ tacacs+

server 172.26.32.200

server 172.25.35.9

use-vrf management

source-interface mgmt0

MCN-CORE-D-7020# sh run aaa

!Command: show running-config aaa

!Time: Wed Dec 7 13:21:54 2011

version 5.1(3)

aaa authentication login default group tacacs+ tacacs+

tacacs-server directed-request

Keith

jspichalla · ‎01-26-2012

Hi All,

I´ve the same logging errors on my N7K. Have you found the problem and can you tell me a solution.

Many thanks !!!!

br

Jens

ckeithjones · ‎01-26-2012

No, I have a TAC case open on it. So far it seems it's a problem with the freeware (TacPlus) software my company is using to do AAA.

Keith