cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
21127
Views
30
Helpful
8
Replies

Nexus 7010 & Tacacs+ (can not do any commands after configured)

AubreyBurt
Level 1
Level 1

I currently use local accounts with this format:

username test password testpwd role network-admin

and this puts you straight into 'enable' mode

I am trying to get this to work with tacacs and having a few problems. I am able to get the authentication to work like a champ, but onece logged in I cannot do any commands. In my other equipment I do not use command autorization so I did not on this at tfirst, it did not work so I tries using it and still didnt work, just got a different error. Here is what I put in:

tacacs-server key XXXXX

tacacs-server host 1.1.1.1

tacacs-server host 2.2.2.2

aaa group server tacacs+ acsgroup

server 1.1.1.1

server 2.2.2.2

source-interface vlan2

!

aaa authentication login default group acsgroup

aaa authentication login console group acsgroup

aaa authorization commands default group acsgroup

aaa accounting default group acsgroup

aaa authentication login error-enable

With this config I get the following error.

HOU-14MDF-NEXUS-CORE02# sh run

Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=16(0x10)

When I remove the "aaa authorization command......." I get this:

HOU-14MDF-NEXUS-CORE02# sh run

% Permission denied

Any help will be greatly appreciated.

Thanks,

Aubrey Burt

8 Replies 8

andrew.prince
Level 10
Level 10

have you read the below urls

http://www.cisco.com/en/US/docs/switches/datacenter/sw/5_x/nx-os/security/configuration/guide/Cisco_Nexus_7000_NX-OS_Security_Configuration_Guide__Release_5.x_chapter6.html#con_1473592

http://docwiki.cisco.com/wiki/Cisco_NX-OS/IOS_TACACS+,_RADIUS,_and_AAA_Comparison

Sent from Cisco Technical Support iPad App

yeah I later found the command:

aaa authorization config-commands default group AAA-Servers

but was unsure if it would make the difference I was needing and I did not find it untill after I had already removed the config.

can you connect to console and then  remove this command?

Hi Andrew,

would you be able tell me what's the

AAA_AUTHOR_STATUS_METHOD=17(0x11) means below is the correct error log

Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=17(0x11)

I am after the meaning of the =17(0x11)

if you could shed some light on this that will be great, unfortunately I was not able to find anything on the Internet nor on the Cisco web

thanks a lot

Lancellot

would you be able tell me what's the

AAA_AUTHOR_STATUS_METHOD=17(0x11) means below is the correct error log

 

Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=17(0x11)

 

I am after the meaning of the =17(0x11)

do you have some mehtod to slove this problem

Michael Zink
Level 1
Level 1

We have the same problem, but we use RSA Radius.

RSA had us create a profile and then associate a user account to that profile.  In that profile there is a Attribute drop-down menu, and we were told to use Class [M].  The trouble is RSA could not tell us what the Value should be.  We have been trying variations on shell:roles="\"network-admin vdc-admin\"", all to no avail.

We can get logged in against the account we have created in RSA, but we lack privileges to do things like save changes to memory.

When we do a sh user-account we never get more than network-operator.

We finally found what we were looking for:

The following works as attributes to be sent from  RSA:

Under the profile, in the drop down list, select Cisco-AVPair and use the following  string

shell:roles=”network-admin vdc-admin”

I seem to be having the same issue. I don't see Cisco-AVPair in the drop down list. Is this something that RSA has to configure for me, or can I create that attribute myself?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: