TACACS and Device Manager

Unanswered Question
Apr 29th, 2010
User Badges:

I have got TACACS to work via the CLI and the account has the correct permissions but I can't get to login via Device or Fabric Manager. Just say's "Authentication Failed", I have changed it to MD5-AES and tried all the other "Auth-Privacy" no luck. Changed the "Console" to login from Local to the new TACACS group but still no luck? Spoke to somebody I know with TACACS but they left the "Console" to local but we can't be the only people to be doing this?


Cheers.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Ganesh Hariharan Sat, 05/01/2010 - 09:23
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016


I have got TACACS to work via the CLI and the account has the correct permissions but I can't get to login via Device or Fabric Manager. Just say's "Authentication Failed", I have changed it to MD5-AES and tried all the other "Auth-Privacy" no luck. Changed the "Console" to login from Local to the new TACACS group but still no luck? Spoke to somebody I know with TACACS but they left the "Console" to local but we can't be the only people to be doing this?


Cheers.

Hi,


Check out the failed attempt message in TACAS server, you can come to know that message are reaching to TACAS server or any other reason for failure logins using those messages.


Hope to Help !!


Ganesh.H

bfeeny Sat, 05/01/2010 - 20:50
User Badges:

FM and DM don't use the AAA by default, they use the snmp credentials on the switch.  What username are you using? Does that username exist on the switch as an snmp user? If so, that is the credentials it using.


When you add a username to a MDS switch it adds the user as an snmp user as well.  If your trying to user username "administrator" for example, and that user exists in AAA as well as locally on the switch, DM/FM will authenticate using the snmp settings on the switch, not AAA.


The only time it will try AAA is if the username does not exist on the switch at all, then DM/FM will telnet to the switch and try to authenticate.

User_4444_2 Tue, 05/04/2010 - 04:40
User Badges:

We have created an account on the TACACS+ server and are using that, this account doesn't exist on the switch as a SNMP user. When we switch on Debug Tacacs+ from the CLI , nothing happens when we try to login via DM/FM. We cant see anything from the TACACS server either?


All the TACACS settings can be seen from within DM & FM.


I have enabled and disabled CFS for TACACS and that didn't make any difference.


Anything else I should be looking at?


Thanks

bfeeny Tue, 05/04/2010 - 06:49
User Badges:

Can you post your AAA/TACACS config?  You said you tried the "test aaa server tacacs+ 1.2.3.4 username password" command and that worked from the CLI?

User_4444_2 Tue, 05/04/2010 - 07:11
User Badges:

The 'test aaa server tacacs+ 10.88.2.186 "username" "password"' command works from the CLI no problem. Comes back with 'user has been authenticated'.


Config, where * are the IP Addresses of the servers.


Global TACACS+ shared secret:********
timeout value:10
deadtime value:0
total number of servers:2

following TACACS+ servers are configured:
        *.*.*.*:
                available on port:49
                TACACS+ shared secret:********
                timeout:20
        *.*.*.*:
                available on port:49
                TACACS+ shared secret:********
                timeout:20


Authentication Statistics
        failed transactions: 0
        sucessfull transactions: 35
        requests sent: 35
        requests timed out: 0
        responses with no matching requests: 0
        responses not processed: 0
        responses containing errors: 0

Authorization Statistics
        failed transactions: 0
        sucessfull transactions: 28
        requests sent: 28
        requests timed out: 0
        responses with no matching requests: 0
        responses not processed: 0
        responses containing errors: 0

Accounting Statistics
        failed transactions: 0
        sucessfull transactions: 187
        requests sent: 187
        requests timed out: 0
        responses with no matching requests: 0
        responses not processed: 0
        responses containing errors: 0


aaa group server tacacs+ TacacsGroup1
aaa authentication login default group TacacsGroup1
aaa authentication login console group TacacsGroup1
aaa accounting default group TacacsGroup1
snmp-server enable traps aaa server-state-change


tacacs+ enable
tacacs-server key 7 "*******************************"
tacacs-server timeout 10
tacacs-server host 10.88.2.186 key 7 "*******************************" timeout 20
tacacs-server host 10.88.2.178 key 7 "*******************************" timeout 20
aaa group server tacacs+ TacacsGroup1
tacacs-server directed-request



Let me know what else you need?

bfeeny Tue, 05/04/2010 - 10:48
User Badges:

You have "tacacs-server directed-request" enabled.  Are you using this functionality?  What this means is you do not enter "username" at the login prompt, instead you enter "username@servername"  and servername is the TACACS server you wish to send the request to.  If the server does not exist then login is rejected.  Only configured servers may be specified.  If you just send "username" into a MDS configured for directed-request I am not sure if it will use the default group or reject.


Can you confirm what your intended need is, do you need directed-request?

User_4444_2 Wed, 05/05/2010 - 00:47
User Badges:

It was just another thing I tried, it didn't work with or without it. I didn't know about this option until I read about it, so I tried it. The problem I have is somebody else looks after the TACACS server. So we are trying from both ends to try and get this to work. As we can't see anything coming from "debug tacacs all" when we try and login, something must be missing in DM/FM but I don't know what?

I also tried "debug aaa auth all" but still nothing, both debug's start to do something when I go through the options for TACACS from within DM/FM using the local login.


Thanks

bfeeny Wed, 05/05/2010 - 07:24
User Badges:

According to the Fabric Manager config guide:


Note Fabric Manager Server should always monitor fabrics using a local switch account, do not use a AAA
(RADIUS or TACACS+) server. You can use a AAA user account to log into the clients to provision
fabric services. For more information on Fabric Manager Server fabric monitoring, see the “Managing
a Fabric Manager Server Fabric” section on page 3-3.


Make sure you read the FM Config Guide especially the Chapter on setting up "Authentication in Fabric Manager", to make sure your entering the right values to access your fabric.

User_4444_2 Thu, 05/06/2010 - 04:23
User Badges:

We don't a Fabric Manager server, we just use a server or workstation that has DM/FM installed. We don't have the Fabric Manager License, does that matter?

Actions

This Discussion

 

 

Trending Topics: Storage Networking