Tacacs on Nexus 5000

Zeeshan Siddiqui · ‎03-01-2012

CAn you please help with the following

I have the following config on Nexus 5596

ip tacacs source-interface mgmt0

tacacs-server host 10.21.1.180 key 7 "xxxxxxi"

aaa group server tacacs+ Harrods-Switches

server 10.21.1.180

tacacs-server directed-request

aaa group server tacacs+ Harrods-Switches

aaa authentication login default group Harrods-Switches

aaa authorization config-commands default group Harrods-Switches

After applying the config above when I try adding or removing any command from the Switch I get the following message

I can only run show command on my switch

Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=17(0x11)

Is there any way I can revert the change made

Any help is much appreciated

mages_mark · ‎03-01-2012

You should still be able to login via console with the local username / password.... as long as you didn't remove the

aaa authentication login console local

The Nexi have some pretty handy aaa testing commands once you get consoled back in...

switch# test aaa server tacacs+ 10.10.1.1 user1 Ur2Gd2BH

switch# test aaa group TacGroup user2 As3He3CI

switch# test aaa auth command-type config-commands user XXXX command config

Zeeshan Siddiqui · ‎03-02-2012

Hi Mark,

Many Thanks for your reply

I can logon using SSH and console but can not run any command in Global configration mode

I think the command below is causing this and I can not remove this command

aaa authorization config-commands default group Harrods-Switches

When I look at the logs on ACS the authentication is failing

Zeeshan Siddiqui · ‎03-02-2012

All,

Rebooted the ACS server which has fixed the problem I had.

Many Thanks for your help