Nexus 7000 and ACS AV-PAIRS

Unanswered Question
Dec 3rd, 2009

Dear all,

I'm having an issue with TACACS+ AAA setup with a Nexus 7000 running 4.2(2a) and ACS 4.2. I've added the av-pair string of

shell:roles="network-operator vdc-admin" into the TACACS+ settings under the group custom attributes. When I log in I the login hangs
waiting for the custom attribute pair to respond back the switch which it doesn't seem to do and it then dumps me into vdc-operator role and not the
vdc-admin role.

Can any one give me any additional pointers?

Thanks in advance,


I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
cochambe Tue, 12/08/2009 - 02:31


Just for reference we've fixed this. The based VDC always seemed to honour the PRIV 15 under the ACS group and gave you network-admin, the correct syntax for vdc-admin passthrough on the av-pair is:


That's all you need.



cratejockey Mon, 02/08/2010 - 11:52


I saw your post and figured I would give you a shout.  I have a client with a 7K installed.  We are running ACS 4.2 and all network equipment is functioning with the exception of the 7K.

We keep getting:

TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond

Do you have a sample of your config for your 7K?  Did you have to do anything special in ACS for it to talk to the 7K?  Been beating my head on this for a few weeks and the Cisco Config guides don't solve my issue.  Follow them to a tee and still does not work.



khwajanusrat Tue, 02/23/2010 - 09:18


I am also getting this message repeatedly on my NX5000, although the authentication and authorization are working fine. Will appreciate any clues. thanks

%TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond

khwajanusrat Tue, 02/23/2010 - 14:03

Hi Colin Chambers,

Can you please post the error and the current config for tacacs on NX7000.

veer.pratap Mon, 07/22/2013 - 10:14

Hi Colin,

Can u help me to resolve the issue of ACS 4.2 with nexus 7k. wat configuration u did in ACS ?


Veer Pratap Singh

brian.holmes Wed, 02/16/2011 - 07:09

My server was sending minor version 0 instead of 1 when I saw the same error message.

brian.holmes Tue, 07/23/2013 - 10:27

One other thing I had to send was TACACSPLUS-Priv-Level = ROOT

which by the way was not in any manual.  


This Discussion

Related Content