I'm having some problems trying to get tacacs authentication/ authorization working with my Nexus 5010 version 4.1(3)N2(1)
Would someone mind sanity checking my config? I've included the logs from the nexus, and the logs from the tacacs server. The tacacs server is working fine, and authenticates other cisco ios based devices.
aaa authentication login default group test-tac aaa authorization config-commands default group test-tac local aaa authorization commands default group test-tac local aaa accounting default group test-tac aaa authentication login error-enable
aaa group server tacacs+ test-tac server 192.168.20.2 use-vrf management
interface mgmt0 vrf member management ip address 192.168.20.201/24
vrf context management ip route 0.0.0.0/0 192.168.20.254
2010 Jul 15 05:44:00 sw02-5k %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user test01 from 192.168.20.1 - login
sw02-5k# ping 192.168.20.2 vrf management PING 192.168.20.2 (192.168.20.2): 56 data bytes 64 bytes from 192.168.20.2: icmp_seq=0 ttl=63 time=21.983 ms 64 bytes from 192.168.20.2: icmp_seq=1 ttl=63 time=2.926 ms 64 bytes from 192.168.20.2: icmp_seq=2 ttl=63 time=2.793 ms 64 bytes from 192.168.20.2: icmp_seq=3 ttl=63 time=3.109 ms 64 bytes from 192.168.20.2: icmp_seq=4 ttl=63 time=3.127 ms
--- 192.168.20.2 ping statistics --- 5 packets transmitted, 5 packets received, 0.00% packet loss round-trip min/avg/max = 2.793/6.787/21.983 ms
Re: Nexus 5010 unable to authenticate using tacacs+
I do not have much experience with Nexus, but assuming that it is similar to other IOS I will give it a shot.
Your config looks ok to me.
I do notice that your config says that the authentication server is at 192.168.20.2 but that is not the address mentioned in the log error message - Authentication failed for user test01 from 192.168.20.1
Is there a debug for aaa authentication in Nexus similar to what is available in IOS? If so it might be worth running the debug and trying again to login.
This is actually a pretty cool feature, i didn't even know it existed until I was looking for a solution to advertise a subnet (prefix in BGP talk), only if a certain condition existed. This is exactly what conditional advertisements does
j ai une question j ai achete un routeur cisco 887VA-k9 , je le configuré avec la configuration ci- dessous
si je le lier avec mon pc portable sur l un de ses ports directement ça marche toute est bien ( la connexion internet + m...
Attached policy provides CLI access to the Cisco 4G router over text messaging. Two files are in the attached .tar file:
2. PDF with instructions on how to load and use the .tcl file.