Tacacs+ authentication and authorization fail with NXOS and ACS

Thibault BRISSE · ‎01-09-2012

Hello,

I am trying to configure TACACS+ authentication and authorization for NX-OS (Nexus 7010) with Cisco ACS 5.3.

Configuration on Nexus's are the following :

feature tacacs+

!

tacacs-server host 10.16.6.3 key 0 UE9Pp40o

tacacs-server host 10.16.6.4 key 0 UE9Pp40o

!

ip tacacs source-interface vlan 99

!

aaa group server tacacs+ TACACS_SERVER

server 10.16.6.3

server 10.16.6.4

!

aaa authentication login default group TACACS_SERVER

aaa authorization commands default group TACACS_SERVER

aaa authorization config-commands default group TACACS_SERVER

aaa authentication login console group TACACS_SERVER

aaa accounting default group TACACS_SERVER

aaa authentication login error-enable

I configured ACS for authorization on this way :

This configuration doesn't work, I have the following message :

Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=17(0x11)

Do you have an idea ?

Thank you in advance,

Thibault

zartar911 · ‎01-09-2012

Hi Thibault,

Use the following attribute for nexus

Tim

Thibault BRISSE · ‎01-10-2012

Hi Zartar,

With your configuration I have exactly the same error output :

Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=17(0x11)

Thank you in advance,

Thibault

Thibault BRISSE · ‎01-15-2012

Hi everybody,

I create an SR, Cisco openened a Webex session and at the moment they don't succeed to operate NX-OS role with ACS.

However, they added a "command set" with permit all shell commands and now authorization work.

I will keep you informed.

Thank you,

Thibault

ergarci21 · ‎05-07-2012

Any luck with the command set that cisco gave you. I'am having the same problem you are with my nexus 7010 and it is driving me nuts what needs to be set on the ACS for this to work.

Neal Gravatt · ‎06-29-2012

it worked for me. I am using ACS v5.3 and nexus running code v5.1.3

Tacacs+ authentication and authorization fail with NXOS and ACS 5.3