cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
242
Views
0
Helpful
5
Replies
Highlighted
Beginner

TACACS+ Not Working on cisco Nexus9000

Hi all,

 

TACACS+ Not Working on Cisco Nexus9000

 

 have added a Nexus9000 switch to my network and configured with tacacs. It does not seems to talk to the tacacs ACS server. but this switch only lets me login with local credentials.
No authoritative response from any server."

 

My config on the Nexus9000 switch is:

 

feature tacacs+

tacacs-server key 7 "!j73jri97"
ip tacacs source-interface Vlan239
tacacs-server host 172.16.107.2
tacacs-server host 172.28.107.2
aaa group server tacacs+ tacacs+

aaa authentication login default group tacacs+ local
aaa authorization config-commands default group tacacs+ local
aaa authorization commands default group tacacs+ local
aaa accounting default group tacacs+
tacacs-server directed-request

 

 

 

 

5 REPLIES 5
Frequent Contributor

Re: TACACS+ Not Working on cisco Nexus9000

Are you running VRFs? Have you declared this under the following section -

 

 

aaa group server tacacs+ tacacs+

 

e.g

 

aaa group server tacacs+ tacacs+
server x.x.x.x
use-vrf VRF_NAME
source-interface vlan239

 

Can you ping the TACACs server sourcing from the interface vlan239?

Hall of Fame Master

Re: TACACS+ Not Working on cisco Nexus9000

What is the output of show tacacs on the 9000? Do you have IP connectivity to the two IP addresses for the servers from packets sourced from vlan 239? Is there anything in the logs of the server that show that it is receiving tacacs requests from the 9000?

 

HTH

 

Rick

Beginner

Re: TACACS+ Not Working on cisco Nexus9000

Hi Rick,

 

Here below the 9000 switch logs

 

CHN-VSNLDC-NEXSW01# 2018 May 29 10:53:52.228345 aaa: mts_aaa_req_process

2018 May 29 10:53:52.228372 aaa: aaa_req_process for authorization. session no 0

2018 May 29 10:53:52.228400 aaa: aaa_req_process: General AAA request from appln: all_cmds appln_subtype: default

2018 May 29 10:53:52.228417 aaa: try_next_aaa_method

2018 May 29 10:53:52.228442 aaa: total methods configured is 2, current index to be tried is 0

2018 May 29 10:53:52.228458 aaa: handle_req_using_method

2018 May 29 10:53:52.228472 aaa: AAA_METHOD_SERVER_GROUP

2018 May 29 10:53:52.228483 aaa: aaa_sg_method_handler group = tacacs+

2018 May 29 10:53:52.228497 aaa: Using sg_protocol which is passed to this function

2018 May 29 10:53:52.228514 aaa: Sending request to TACACS service

2018 May 29 10:53:52.228567 aaa: Configured method group Succeeded

2018 May 29 10:53:52 CHN-VSNLDC-NEXSW01 last message repeated 4 times

 

2018 May 29 10:53:52.302713 aaa: prot_daemon_reponse_handler

2018 May 29 10:53:52.302732 aaa: is_aaa_resp_status_success status = 17

2018 May 29 10:53:52.302741 aaa: is_aaa_resp_status_success is FALSE

2018 May 29 10:53:52.302754 aaa: try_next_aaa_method

2018 May 29 10:53:52.302776 aaa: total methods configured is 2, current index to be tried is 1

2018 May 29 10:53:52.302787 aaa: handle_req_using_method

2018 May 29 10:53:52.302794 aaa: local_method_handler

2018 May 29 10:53:52.302807 aaa: try_next_aaa_method

2018 May 29 10:53:52.302821 aaa: total methods configured is 2, current index to be tried is 2

2018 May 29 10:53:52.302834 aaa: try_fallback_method

2018 May 29 10:53:52.302840 aaa: handle_req_using_method

2018 May 29 10:53:52.302864 aaa: aaa_send_client_response for authorization. session->flags=431. aaa_resp->flags=0.

2018 May 29 10:53:52.302874 aaa: AAA_REQ_FLAG_NORMAL 

2018 May 29 10:53:52.302901 aaa: mts_send_response Successful

2018 May 29 10:53:52.302918 aaa: AAA_REQ_FLAG_LOCAL_RESP 

2018 May 29 10:53:52.302926 aaa: aaa_cleanup_session

2018 May 29 10:53:52.302932 aaa: mts_drop of request msg

2018 May 29 10:53:52.302941 aaa: aaa_req should be freed. 

2018 May 29 10:53:52.302949 aaa: Fall back method none succeeded

Hall of Fame Master

Re: TACACS+ Not Working on cisco Nexus9000

Thanks for the outputs. The output from Nexus does confirm that it sent a request to the server and received a response. The log from the server shows that it received a request and considered it invalid. I do not have insight into what causes the request to be invalid and am not sure what is indicated about possible mismatched share. I am not sure whether the issue is in the setup of Nexus or in setup of server. But clearly something in the setup is not right.

 

HTH

 

Rick

Beginner

Re: TACACS+ Not Working on cisco Nexus9000

Hello,

 

I've had a similar issue when i've used a ! in a radius password.  Might be as simple as that....else like you say, changing the passwords out might also help.

 

Thanks

CreatePlease to create content
Content for Community-Ad