Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Nexus 7000 AAA tacacs+ issue

I cannot get the AAA tacacs+ authentication to work on my Nexus 7000. The following is the logging error I get:

2011 Dec  7 01:17:05 MCN-CORE-D-7020 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user ctcrgrf from 172.26.32.200 - sshd[16930]

2011 Dec  7 01:17:05 MCN-CORE-D-7020 %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user ctcrgrf from 172.26.32.200 - sshd[16922]

2011 Dec  7 01:17:08 MCN-CORE-D-7020 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user ctcrgrf from 172.26.32.200 - sshd[16935]

2011 Dec  7 01:17:08 MCN-CORE-D-7020 %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user ctcrgrf from 172.26.32.200 - sshd[16922]

2011 Dec  7 01:17:08 MCN-CORE-D-7020 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user ctcrgrf from 172.26.32.200 - sshd[16936]

2011 Dec  7 01:17:08 MCN-CORE-D-7020 %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user ctcrgrf from 172.26.32.200 - sshd[16922]

2011 Dec  7 01:17:42 MCN-CORE-D-7020 %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by ncbranch on 172.26.22.20@pts/0

2011 Dec  7 01:19:46 MCN-CORE-D-7020 %VSHD-5-VSHD_SYSLOG_CONFIG_I: Configured from vty by ncbranch on 172.26.22.20@pts/0

2011 Dec  7 01:29:34 MCN-CORE-D-7020 %AUTHPRIV-3-SYSTEM_MSG: pam_aaa:Authentication failed for user ctcrsrackj from 172.26.22.20 - sshd[17316]

2011 Dec  7 01:29:34 MCN-CORE-D-7020 %DAEMON-3-SYSTEM_MSG: error: PAM: Authentication failure for illegal user ctcrsrackj from 172.26.22.20 - sshd[17315]

Relevant config:

MCN-CORE-D-7020# show run tacacs+

!Command: show running-config tacacs+

!Time: Wed Dec  7 01:33:42 2011

version 5.1(3)

feature tacacs+

tacacs-server key 7 "XXXXXXX"

ip tacacs source-interface mgmt0

tacacs-server timeout 60

tacacs-server host 172.26.32.200

tacacs-server host 172.25.35.9

aaa group server tacacs+ tacacs+

    server 172.26.32.200

    server 172.25.35.9

    use-vrf management

    source-interface mgmt0

All users get this same error when trying to log in. Any other switch works with that username.

Everyone's tags (4)
4 REPLIES
VIP Super Bronze

Nexus 7000 AAA tacacs+ issue

Can you add this command to you tacacs config and test again?

aaa authentication login default group tacacs+ tacacs+

HTH

New Member

Nexus 7000 AAA tacacs+ issue

I forgot to put I originally had that in there. I put it back but I get the same response.

MCN-CORE-D-7020# sh run tacacs+ all

!Command: show running-config tacacs+ all

!Time: Wed Dec  7 13:21:47 2011

version 5.1(3)

feature tacacs+

tacacs-server key 7 "XXXXXXXXX"

ip tacacs source-interface mgmt0

tacacs-server test username test password test idle-time 0

tacacs-server timeout 60

tacacs-server deadtime 0

tacacs-server host 172.26.32.200 port 49

tacacs-server host 172.25.35.9 port 49

tacacs-server host 172.26.32.200 test username test password test idle-time 0

tacacs-server host 172.25.35.9 test username test password test idle-time 0

aaa group server tacacs+ tacacs+

    server 172.26.32.200

    server 172.25.35.9

    use-vrf management

    source-interface mgmt0

MCN-CORE-D-7020# sh run aaa

!Command: show running-config aaa

!Time: Wed Dec  7 13:21:54 2011

version 5.1(3)

aaa authentication login default group tacacs+ tacacs+

tacacs-server directed-request

Keith

New Member

Nexus 7000 AAA tacacs+ issue

Hi All,

I´ve the same logging errors on my N7K. Have you found the problem and can you tell me a solution.

Many thanks !!!!

br

Jens

New Member

Nexus 7000 AAA tacacs+ issue

No, I have a TAC case open on it. So far it seems it's a problem with the freeware (TacPlus) software my company is using to do AAA.

Keith

2393
Views
0
Helpful
4
Replies