Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TACACS+ Cisco NAM Module Configuration

I am not able to configure TACACS+ on our NAM module. I have followed the guidelines in the help option; Admin tab, Users, TACACS+. I have put all the proper information in this area, and configured our ACS Server with the appropriate IP address and key of the NAM module. Am I missing something?

6 REPLIES
Blue

Re: TACACS+ Cisco NAM Module Configuration

NAM model and software version running on it?

Verify that you entered the correct TACACS+ server name and secret key and that you are using the same the secret key as the one configured in the TACACS+ server.

If you use a generic TACACS+ server, make sure that it supports Password Authentication Protocol (PAP) and that PAP is selected.

You can also check system alerts for any TACACS+-related messages.

Log into the NAM Traffic Analyzer as a local user.

- Click the Admin tab.

- Click Diagnostics.

- In the contents, click Tech Support.

- Scroll down to the /var/log/messages section.

- Look for any messages related to this that will tell you why this is failing.

New Member

Re: TACACS+ Cisco NAM Module Configuration

Message in: cat /var/log/messages -

Jul 23 12:43:33 nam PAM-tacplus[770]: TACACS+ authorisation failed for [username]

Jul 23 12:43:42 nam last message repeated 11 times

Jul 23 12:46:10 nam PAM-tacplus[771]: TACACS+ authorisation failed for [username]

Jul 23 12:46:11 nam last message repeated 5 times

Jul 23 12:48:10 nam PAM-tacplus[659]: TACACS+ authorisation failed for [username]

Jul 23 12:48:11 nam last message repeated 5 times

Version is:

Cisco Network Analysis Module (WS-X6380-NAM) 2.1(2)

Do the individual accounts still need to be created on the NAM web interface? That doesn't make any sense, but I can see logging for myself on the ACS for the NAM module access. Just no other people I've set up can, from my pc. No ACL's are actively blocking anyone either...

Blue

Re: TACACS+ Cisco NAM Module Configuration

Have you also setup your TACACS server for NAM Authentication and Authorization?. If not, then go through the steps listed at: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/fam_mod/svc_namx/rel3_1_1/3_1_ug/admin.htm#87182 to make sure that you have not missed anything. As for the other issue, you can use TACACS+ either in addition to a local database or instead of a local database. (The local database is always checked first.) To use only TACACS+, you can eliminate the local database users by either of these methods:

* Use the NAM CLI rmwebusers command to remove only local users, not TACACS+ users, as they are administered separately on the TACACS+ server.

* From the Admin tab, click Users, then delete all local database users individually.

Caution: Do not delete all local database web users until you have verified that you can log into the NAM Traffic Analyzer as a TACACS+ user.

New Member

Re: TACACS+ Cisco NAM Module Configuration

I figured out what I had wrong. Under the Group settings, there are some options that should be checked. I will provide a link to the information that I used to resolve my problem.

New Member

Re: TACACS+ Cisco NAM Module Configuration

Here is a link to the information that I used to solve my problems...

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/fam_mod/x6380nam/rel2_1_1/re2_1_ug/admin.pdf

Blue

Re: TACACS+ Cisco NAM Module Configuration

This is the same procedure for which I posted the URL above earlier. Thanks

452
Views
0
Helpful
6
Replies