Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1259
Views
0
Helpful
5
Replies

TACACS+ Not Working on cisco Nexus9000

Abdul Farooq
Level 1
Level 1

‎05-29-2018 02:26 AM - edited ‎03-08-2019 03:09 PM

Hi all,

 

TACACS+ Not Working on Cisco Nexus9000

 

 have added a Nexus9000 switch to my network and configured with tacacs. It does not seems to talk to the tacacs ACS server. but this switch only lets me login with local credentials.
No authoritative response from any server."

 

My config on the Nexus9000 switch is:

 

feature tacacs+

tacacs-server key 7 "!j73jri97"
ip tacacs source-interface Vlan239
tacacs-server host 172.16.107.2
tacacs-server host 172.28.107.2
aaa group server tacacs+ tacacs+

aaa authentication login default group tacacs+ local
aaa authorization config-commands default group tacacs+ local
aaa authorization commands default group tacacs+ local
aaa accounting default group tacacs+
tacacs-server directed-request

 

 

 

 

Labels:
0 Helpful
5 Replies 5

GRANT3779
Spotlight
Spotlight

‎05-29-2018 02:53 AM

Are you running VRFs? Have you declared this under the following section -

 

 

aaa group server tacacs+ tacacs+

 

e.g

 

aaa group server tacacs+ tacacs+
server x.x.x.x
use-vrf VRF_NAME
source-interface vlan239

 

Can you ping the TACACs server sourcing from the interface vlan239?

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame

‎05-29-2018 10:41 AM

What is the output of show tacacs on the 9000? Do you have IP connectivity to the two IP addresses for the servers from packets sourced from vlan 239? Is there anything in the logs of the server that show that it is receiving tacacs requests from the 9000?

 

HTH

 

Rick

HTH

Rick
0 Helpful

Abdul Farooq
Level 1
Level 1
In response to Richard Burts

‎05-31-2018 12:19 AM

Hi Rick,

 

Here below the 9000 switch logs

 

CHN-VSNLDC-NEXSW01# 2018 May 29 10:53:52.228345 aaa: mts_aaa_req_process

2018 May 29 10:53:52.228372 aaa: aaa_req_process for authorization. session no 0

2018 May 29 10:53:52.228400 aaa: aaa_req_process: General AAA request from appln: all_cmds appln_subtype: default

2018 May 29 10:53:52.228417 aaa: try_next_aaa_method

2018 May 29 10:53:52.228442 aaa: total methods configured is 2, current index to be tried is 0

2018 May 29 10:53:52.228458 aaa: handle_req_using_method

2018 May 29 10:53:52.228472 aaa: AAA_METHOD_SERVER_GROUP

2018 May 29 10:53:52.228483 aaa: aaa_sg_method_handler group = tacacs+

2018 May 29 10:53:52.228497 aaa: Using sg_protocol which is passed to this function

2018 May 29 10:53:52.228514 aaa: Sending request to TACACS service

2018 May 29 10:53:52.228567 aaa: Configured method group Succeeded

2018 May 29 10:53:52 CHN-VSNLDC-NEXSW01 last message repeated 4 times

 

2018 May 29 10:53:52.302713 aaa: prot_daemon_reponse_handler

2018 May 29 10:53:52.302732 aaa: is_aaa_resp_status_success status = 17

2018 May 29 10:53:52.302741 aaa: is_aaa_resp_status_success is FALSE

2018 May 29 10:53:52.302754 aaa: try_next_aaa_method

2018 May 29 10:53:52.302776 aaa: total methods configured is 2, current index to be tried is 1

2018 May 29 10:53:52.302787 aaa: handle_req_using_method

2018 May 29 10:53:52.302794 aaa: local_method_handler

2018 May 29 10:53:52.302807 aaa: try_next_aaa_method

2018 May 29 10:53:52.302821 aaa: total methods configured is 2, current index to be tried is 2

2018 May 29 10:53:52.302834 aaa: try_fallback_method

2018 May 29 10:53:52.302840 aaa: handle_req_using_method

2018 May 29 10:53:52.302864 aaa: aaa_send_client_response for authorization. session->flags=431. aaa_resp->flags=0.

2018 May 29 10:53:52.302874 aaa: AAA_REQ_FLAG_NORMAL 

2018 May 29 10:53:52.302901 aaa: mts_send_response Successful

2018 May 29 10:53:52.302918 aaa: AAA_REQ_FLAG_LOCAL_RESP 

2018 May 29 10:53:52.302926 aaa: aaa_cleanup_session

2018 May 29 10:53:52.302932 aaa: mts_drop of request msg

2018 May 29 10:53:52.302941 aaa: aaa_req should be freed. 

2018 May 29 10:53:52.302949 aaa: Fall back method none succeeded

Preview file
18 KB
Preview file
24 KB
0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to Abdul Farooq

‎05-31-2018 06:53 AM

Thanks for the outputs. The output from Nexus does confirm that it sent a request to the server and received a response. The log from the server shows that it received a request and considered it invalid. I do not have insight into what causes the request to be invalid and am not sure what is indicated about possible mismatched share. I am not sure whether the issue is in the setup of Nexus or in setup of server. But clearly something in the setup is not right.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Tubster123
Level 1
Level 1
In response to Richard Burts

‎05-31-2018 11:19 AM

Hello,

 

I've had a similar issue when i've used a ! in a radius password.  Might be as simple as that....else like you say, changing the passwords out might also help.

 

Thanks

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card