1000v TACACS config

Unanswered Question
May 25th, 2010
User Badges:

So, I went through the configuration guide for AAA for the nexus, but cannot get it working…it’s a little different than the catalyst…but some things are the same…so, my config went like this:

tacacs+ enable

tacacs-server key 7 <key> timeout 30

tacacs-server host 10.10.10.10 key 7 <key>

tacacs-server host 10.10.10.11 key 7 <key>

aaa group server tacacs+ DC1_TACACS

  server 10.10.10.10

  server 10.10.10.11

aaa authentication login default group DC1_TACACS

The switch is added in my TACACS server, but I’m seeing no hits to the that server from the switch…on the catalyst, you can specify source IP from which the switch will use to connect to tacacs (ip tacacs source etc…)  I have not found such a command (yet) on the nexus…Nor is there a “vty” to enable authentication on…

Anybody have a thought on it?  other than the obvious, I don’t have it configured right…lol…

thanks in advance.


Bruce


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Ganesh Hariharan Wed, 05/26/2010 - 00:34
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

So, I went through the configuration guide for AAA for the nexus, but cannot get it working…it’s a little different than the catalyst…but some things are the same…so, my config went like this:

tacacs+ enable

tacacs-server key 7 timeout 30

tacacs-server host 10.10.10.10 key 7

tacacs-server host 10.10.10.11 key 7

aaa group server tacacs+ DC1_TACACS

  server 10.10.10.10

  server 10.10.10.11

aaa authentication login default group DC1_TACACS

The switch is added in my TACACS server, but I’m seeing no hits to the that server from the switch…on the catalyst, you can specify source IP from which the switch will use to connect to tacacs (ip tacacs source etc…)  I have not found such a command (yet) on the nexus…Nor is there a “vty” to enable authentication on…

Anybody have a thought on it?  other than the obvious, I don’t have it configured right…lol…

thanks in advance.


Bruce


Hi Bruce,


If you have configured the TACAS configuration just configure the ip address of 1000v which is near to connect the TACAS server and check out the TACS port are opened between switch and server.


Hope to help !!


Ganesh.H


Remember to rate the helpful post

Bruce Summers Wed, 05/26/2010 - 04:13
User Badges:

Ganesh,



Thanks for the reply...However, I'm not clear what you refer to

"configure the ip address of 1000v which is near to connect the TACAS

server" IP is already configured on the switch mgmt 0 interface.



I am sure port 49 is open between switch and tacacs server, tested it...

Ganesh Hariharan Wed, 05/26/2010 - 04:21
User Badges:
  • Purple, 4500 points or more
  • Community Spotlight Award,

    Member's Choice, February 2016

Ganesh,




Thanks for the reply...However, I'm not clear what you refer to

"configure the ip address of 1000v which is near to connect the TACAS

server"    IP is already configured on the switch mgmt 0 interface.




I am sure port 49 is open between switch and tacacs server, tested it...



How many interface are configured in 1000v and i suppose you have configured the mgmt 0 interface ip in TACAS server.if possible can you provide the schematic view of ip configured in 1000v and TACAS server ip.


Is TACAS is cisco ACS ?


Ganesh.H

nellson Thu, 07/29/2010 - 10:41
User Badges:

Did you ever get a response? I did JUST as you did, and NADA in my CSACS logs.


The tacacs servers appear up


sho tacacs-server
timeout value:5
deadtime value:0
total number of servers:2

following TACACS+ servers are configured:
        172.21.1.221:
                available on port:49
                TACACS+ shared secret:********
        172.21.174.221:
                available on port:49
                TACACS+ shared secret:********


But with the same config you have, I get only local auth. And no options for Authorization?? What's up with that?


Nick

constantin.blanariu Wed, 11/17/2010 - 06:48
User Badges:

Hey,


I'm having the same problem. Looking in the configuration guide I found this:


Prerequisites for AAA:


  • At least one TACACS+ server is IP reachable
  • The SVS is configured as an AAA server client
  • A shared secret key is configured on the SVS and the remote AAA server.


I have no idea what the second bullet means.. configuring SVS as an AAA server client.


Does anyone has any thoughts on this ?


Thank you,


Constantin

constantin.blanariu Wed, 12/29/2010 - 05:10
User Badges:

Hi,


Here it is:


show run ip all


version 4.0(4) SV1 (3a)

vrf context management

      ip route 0.0.0.0/0 1.1.1.1

ip packet policy statistics enable

no ip source-route


interface mgmt0

     ip address 1.1.1.2/24

     ip redirects

     ip port-unreachable



Thank you,


Constantin

Dan-Ciprian Cicioiu Wed, 12/29/2010 - 05:15
User Badges:
  • Gold, 750 points or more

Salut Constantin



under the aaa group server , set "use-vrf management".



Dan

CARL LINDAHL Thu, 12/30/2010 - 13:30
User Badges:

If and when you setup the syslog export you will run into something similiar - I had to configure a loopback address to get the syslog export to work correctly. I have been through your same experience with the TACACS setup on the 1000v.

Dan-Ciprian Cicioiu Fri, 12/31/2010 - 03:21
User Badges:
  • Gold, 750 points or more

Crl ,


The same as in the aaa setup , when you configure logging you should set also the vrf :


logging server $Logging-server $logging-level use-vrf management


replace $logging-server and $logging-level with the ip/host of the logging server repectively the logging level wanted.



Dan

CARL LINDAHL Fri, 12/31/2010 - 05:45
User Badges:

Dan,


I agree that is how we have configured but were not recieving any syslog messages on our external boxes until we created a loopback interface. We are running " 4.0(4)SV1(3a)" of the 1000v. Very interesting indeed.

scott.hammond Fri, 01/07/2011 - 07:58
User Badges:

im struggling with the same thing, but specifying the vrf did not fix it. I never see the 1000v even attempt to hit ACS, but yet the debug in the 1000v shows a failure that I cant account for.


2011 Jan  7 10:50:38.599747 aaa: is_aaa_resp_status_success is FALSE
2011 Jan  7 10:50:38.599760 aaa: protocol TACACS failed with server group tacacs
2011 Jan  7 10:50:38.599771 aaa: try_next_aaa_method
2011 Jan  7 10:50:38.599784 aaa: aaa_method_config: GET request for authentication login default
2011 Jan  7 10:50:38.599796 aaa: aaa_method_config: GET methods group tacacs 
2011 Jan  7 10:50:38.599808 aaa: got back the return value of aaa method configuration operation:success
2011 Jan  7 10:50:38.599819 aaa: total methods configured is 1, current index to be tried is 1
2011 Jan  7 10:50:38.599831 aaa: All Configured methods failed for login:default
2011 Jan  7 10:50:38.599842 aaa: try_fallback_method
2011 Jan  7 10:50:38.599852 aaa: handle_req_using_method
2011 Jan  7 10:50:38.599863 aaa: local_method_handler
2011 Jan  7 10:50:38.599873 aaa: LOCAL Authentication req
2011 Jan  7 10:50:38.599883 aaa: AAA_AUTHEN_TYPE_PAP


my config

tacacs-server key 7 "vqtjjb"
tacacs-server timeout 10
tacacs-server host 10.60.90.100 key 7 "vqtjjb"
tacacs-server host 10.61.90.100 key 7 "vqtjjb"
aaa group server tacacs+ tacacs
    server 10.60.90.100
    server 10.61.90.100
    use-vrf default (tried default and management with no luck)


aaa authentication login default group tacacs
aaa authentication login console group tacacs
aaa accounting default group tacacs
aaa authentication login error-enable
tacacs-server directed-request

Actions

This Discussion

 

 

Trending Topics: Other DC Subjects