cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
646
Views
4
Helpful
6
Replies

FM auth via tacacs+

stellr
Level 1
Level 1

I've been accessing mds switches via FM with the locally defined admin user. Is there a config that will get FM to auth via tacacs? Is this discussed in a doc? Thanks.

6 Replies 6

colin.mcnamara
Level 4
Level 4

In short, yes. The MDS is capable of authenticating users via tacacas+ through both the vty and fabric manager interfaces. (in reality they are both a view into the same thing).

The documentation for accomplishing this task through fabric manager is available here -

http://www.cisco.com/univercd/cc/td/doc/product/sn5000/mds9000/3_0/fmcfg/part5/cradtac1.htm

The documentation for accomplishing this task through the CLI is available here -

http://www.cisco.com/univercd/cc/td/doc/product/sn5000/mds9000/3_0/clicnfg/part5/cradtac1.htm

If you found this helpful, please rate it.

--Colin McNamara

Not getting it. Perhaps if we get a little more specific. Today, I can ssh into my mds switch and auth via radius with my userid:

9216-2# sh run | incl radi

radius-server key 7 "radiuskeyhere"

radius-server host 10.10.10.67 authentication

radius-server host 10.10.10.99 authentication

aaa authentication login default group radius local

aaa authentication login console group radius local

but if I try to use that same userid at the FM, Discover New Fabric - Fabric Manager screen, I get a msg, SnmpReport: Unknown User Name. If I use the locally defined user, admin, on the switch I can login in:

snmp-server user admin network-admin auth md5 keyvaluehere localizedkey

I'm not finding a discription of how to get the radius defined users to be able to connect at that Discover New Fabric screen.

The MDS 9000 Family doc section on Configuring RADIUS and TACACS+ says"

AAA configuration in Cisco MDS 9000 Family switches is service based. You can have separate AAA configurations for the following services:

•Telnet or SSH login (Fabric Manager and Device Manager login)

which makes me think that this should be working, as the ssh and FM auth seem to be one in the same. So, why do I get this Snmp user error? Missing something...

I think I see the problem now. When you said, "The MDS is capable of authenticating users via tacacas+ through both the vty and fabric manager interfaces. (in reality they are both a view into the same thing)," I believe you are talking about ssh/telnet login to the switch via FM.

I'm wanting to get the SNMPv3 login at "Discover New Fabric" screen to use radius to auth the users centrally. There is no mention of this in the chapter on snmpv3 configuration. Creating and Modifying Users only talks about locally defined users.

What can I say...rats.

chapter 4-2, pdf pg 126, of the fm config guide says:

"If this user name and password are not a recognized SNMP user name and password,

either Fabric Manager Client or Fabric Manager Server opens a CLI session to the switch (SSH or Telnet)

and retries the user name/password pair. If the user name and password are recognized by the switch in

either the local switch authentication database or through a remote AAA server, then the switch creates

a temporary SNMP user name that is used by Fabric Manager Client and server."

Sound like this should be working. Mixed signals. Guess I'll head to debug to try to figure out why it is busted.

Still not working, EMC tac opens case with cisco tac. Weeks pass. While the sentence above might lead one to believe this is a feature, no other doc hints at use of it. I wonder, does anyone on the planet really auth with radius when at the "Discover New Fabric" screen or is everyone using snmp user defined on the seed switch?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: