05-29-2018 02:26 AM - edited 03-08-2019 03:09 PM
Hi all,
TACACS+ Not Working on Cisco Nexus9000
have added a Nexus9000 switch to my network and configured with tacacs. It does not seems to talk to the tacacs ACS server. but this switch only lets me login with local credentials.
No authoritative response from any server."
My config on the Nexus9000 switch is:
feature tacacs+
tacacs-server key 7 "!j73jri97"
ip tacacs source-interface Vlan239
tacacs-server host 172.16.107.2
tacacs-server host 172.28.107.2
aaa group server tacacs+ tacacs+
aaa authentication login default group tacacs+ local
aaa authorization config-commands default group tacacs+ local
aaa authorization commands default group tacacs+ local
aaa accounting default group tacacs+
tacacs-server directed-request
05-29-2018 02:53 AM
Are you running VRFs? Have you declared this under the following section -
aaa group server tacacs+ tacacs+
e.g
aaa group server tacacs+ tacacs+
server x.x.x.x
use-vrf VRF_NAME
source-interface vlan239
Can you ping the TACACs server sourcing from the interface vlan239?
05-29-2018 10:41 AM
What is the output of show tacacs on the 9000? Do you have IP connectivity to the two IP addresses for the servers from packets sourced from vlan 239? Is there anything in the logs of the server that show that it is receiving tacacs requests from the 9000?
HTH
Rick
05-31-2018 12:19 AM
Hi Rick,
Here below the 9000 switch logs
CHN-VSNLDC-NEXSW01# 2018 May 29 10:53:52.228345 aaa: mts_aaa_req_process
2018 May 29 10:53:52.228372 aaa: aaa_req_process for authorization. session no 0
2018 May 29 10:53:52.228400 aaa: aaa_req_process: General AAA request from appln: all_cmds appln_subtype: default
2018 May 29 10:53:52.228417 aaa: try_next_aaa_method
2018 May 29 10:53:52.228442 aaa: total methods configured is 2, current index to be tried is 0
2018 May 29 10:53:52.228458 aaa: handle_req_using_method
2018 May 29 10:53:52.228472 aaa: AAA_METHOD_SERVER_GROUP
2018 May 29 10:53:52.228483 aaa: aaa_sg_method_handler group = tacacs+
2018 May 29 10:53:52.228497 aaa: Using sg_protocol which is passed to this function
2018 May 29 10:53:52.228514 aaa: Sending request to TACACS service
2018 May 29 10:53:52.228567 aaa: Configured method group Succeeded
2018 May 29 10:53:52 CHN-VSNLDC-NEXSW01 last message repeated 4 times
2018 May 29 10:53:52.302713 aaa: prot_daemon_reponse_handler
2018 May 29 10:53:52.302732 aaa: is_aaa_resp_status_success status = 17
2018 May 29 10:53:52.302741 aaa: is_aaa_resp_status_success is FALSE
2018 May 29 10:53:52.302754 aaa: try_next_aaa_method
2018 May 29 10:53:52.302776 aaa: total methods configured is 2, current index to be tried is 1
2018 May 29 10:53:52.302787 aaa: handle_req_using_method
2018 May 29 10:53:52.302794 aaa: local_method_handler
2018 May 29 10:53:52.302807 aaa: try_next_aaa_method
2018 May 29 10:53:52.302821 aaa: total methods configured is 2, current index to be tried is 2
2018 May 29 10:53:52.302834 aaa: try_fallback_method
2018 May 29 10:53:52.302840 aaa: handle_req_using_method
2018 May 29 10:53:52.302864 aaa: aaa_send_client_response for authorization. session->flags=431. aaa_resp->flags=0.
2018 May 29 10:53:52.302874 aaa: AAA_REQ_FLAG_NORMAL
2018 May 29 10:53:52.302901 aaa: mts_send_response Successful
2018 May 29 10:53:52.302918 aaa: AAA_REQ_FLAG_LOCAL_RESP
2018 May 29 10:53:52.302926 aaa: aaa_cleanup_session
2018 May 29 10:53:52.302932 aaa: mts_drop of request msg
2018 May 29 10:53:52.302941 aaa: aaa_req should be freed.
2018 May 29 10:53:52.302949 aaa: Fall back method none succeeded
05-31-2018 06:53 AM
Thanks for the outputs. The output from Nexus does confirm that it sent a request to the server and received a response. The log from the server shows that it received a request and considered it invalid. I do not have insight into what causes the request to be invalid and am not sure what is indicated about possible mismatched share. I am not sure whether the issue is in the setup of Nexus or in setup of server. But clearly something in the setup is not right.
HTH
Rick
05-31-2018 11:19 AM
Hello,
I've had a similar issue when i've used a ! in a radius password. Might be as simple as that....else like you say, changing the passwords out might also help.
Thanks
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide