12-13-2011 12:56 PM - edited 03-01-2019 10:11 AM
Well, I've been working on this off and on for a few months (yikes) now, and we are still using local authentication for UCS rather than tacacs. I am attaching a few screenshots of how things are set up that I believe encomasses everything, but am more than willing to provide more info if needed. The pics are - how the UCS looks, how AAA looks for the UCS, how the one user (me) I'm testing looks. I essentially did my best to follow the instructions in
but to no avail. Essentially, I believe that the UCS isn't even trying to contact the ACS server. I tested that by trying (unsuccessfully) to log in to UCS 10 times, and it not locking my tacacs account. Any help greatly appreciated, and more information requested will be provided.
Thanks
12-14-2011 07:44 AM
Russell -
Can you confirm that you can ping the ACS server from the UCS FI CLI? Does the admin aaa role exist on the UCS?
Jen
12-14-2011 10:04 PM
Russell,
Additionally, you can verify the user and tacacs from the NX-OS CLI with the following:
UCS-250-A(nxos)# test aaa server tacacs+ 10.10.10.10 myuser mypass
Thanks,
Michael
12-15-2011 01:26 PM
Jen,
I can ping from local-mgmt. There is an admin role and a aaa role on the UCS.
Michael,
that command, when substituted for my values, gives me an error authenticating to server.
12-15-2011 11:18 PM
Hi Russell,
If it returns an error authenticating, sounds like there is a problem with the user/pass combination. Can you verify that they are correct?
Additionally, looking at the screenshots, you should select the "Shell(exec)" for the aaa-user on your ACS.
Setup TACACS Authentication for Cisco UCS
Let me know how you go.
Thanks,
Michael
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide