11-09-2007 06:56 AM
I've been accessing mds switches via FM with the locally defined admin user. Is there a config that will get FM to auth via tacacs? Is this discussed in a doc? Thanks.
11-09-2007 07:50 AM
In short, yes. The MDS is capable of authenticating users via tacacas+ through both the vty and fabric manager interfaces. (in reality they are both a view into the same thing).
The documentation for accomplishing this task through fabric manager is available here -
http://www.cisco.com/univercd/cc/td/doc/product/sn5000/mds9000/3_0/fmcfg/part5/cradtac1.htm
The documentation for accomplishing this task through the CLI is available here -
http://www.cisco.com/univercd/cc/td/doc/product/sn5000/mds9000/3_0/clicnfg/part5/cradtac1.htm
If you found this helpful, please rate it.
--Colin McNamara
11-12-2007 07:52 AM
Not getting it. Perhaps if we get a little more specific. Today, I can ssh into my mds switch and auth via radius with my userid:
9216-2# sh run | incl radi
radius-server key 7 "radiuskeyhere"
radius-server host 10.10.10.67 authentication
radius-server host 10.10.10.99 authentication
aaa authentication login default group radius local
aaa authentication login console group radius local
but if I try to use that same userid at the FM, Discover New Fabric - Fabric Manager screen, I get a msg, SnmpReport: Unknown User Name. If I use the locally defined user, admin, on the switch I can login in:
snmp-server user admin network-admin auth md5 keyvaluehere localizedkey
I'm not finding a discription of how to get the radius defined users to be able to connect at that Discover New Fabric screen.
11-12-2007 09:09 AM
The MDS 9000 Family doc section on Configuring RADIUS and TACACS+ says"
AAA configuration in Cisco MDS 9000 Family switches is service based. You can have separate AAA configurations for the following services:
â¢Telnet or SSH login (Fabric Manager and Device Manager login)
which makes me think that this should be working, as the ssh and FM auth seem to be one in the same. So, why do I get this Snmp user error? Missing something...
11-12-2007 01:26 PM
I think I see the problem now. When you said, "The MDS is capable of authenticating users via tacacas+ through both the vty and fabric manager interfaces. (in reality they are both a view into the same thing)," I believe you are talking about ssh/telnet login to the switch via FM.
I'm wanting to get the SNMPv3 login at "Discover New Fabric" screen to use radius to auth the users centrally. There is no mention of this in the chapter on snmpv3 configuration. Creating and Modifying Users only talks about locally defined users.
What can I say...rats.
11-14-2007 06:53 AM
chapter 4-2, pdf pg 126, of the fm config guide says:
"If this user name and password are not a recognized SNMP user name and password,
either Fabric Manager Client or Fabric Manager Server opens a CLI session to the switch (SSH or Telnet)
and retries the user name/password pair. If the user name and password are recognized by the switch in
either the local switch authentication database or through a remote AAA server, then the switch creates
a temporary SNMP user name that is used by Fabric Manager Client and server."
Sound like this should be working. Mixed signals. Guess I'll head to debug to try to figure out why it is busted.
11-23-2007 07:31 AM
Still not working, EMC tac opens case with cisco tac. Weeks pass. While the sentence above might lead one to believe this is a feature, no other doc hints at use of it. I wonder, does anyone on the planet really auth with radius when at the "Discover New Fabric" screen or is everyone using snmp user defined on the seed switch?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: