TACACS+ Cisco NAM Module Configuration

matt.austin · ‎07-23-2003

I am not able to configure TACACS+ on our NAM module. I have followed the guidelines in the help option; Admin tab, Users, TACACS+. I have put all the proper information in this area, and configured our ACS Server with the appropriate IP address and key of the NAM module. Am I missing something?

rmushtaq · ‎07-23-2003

NAM model and software version running on it?

Verify that you entered the correct TACACS+ server name and secret key and that you are using the same the secret key as the one configured in the TACACS+ server.

If you use a generic TACACS+ server, make sure that it supports Password Authentication Protocol (PAP) and that PAP is selected.

You can also check system alerts for any TACACS+-related messages.

Log into the NAM Traffic Analyzer as a local user.

- Click the Admin tab.

- Click Diagnostics.

- In the contents, click Tech Support.

- Scroll down to the /var/log/messages section.

- Look for any messages related to this that will tell you why this is failing.

matt.austin · ‎07-23-2003

Message in: cat /var/log/messages -

Jul 23 12:43:33 nam PAM-tacplus[770]: TACACS+ authorisation failed for [username]

Jul 23 12:43:42 nam last message repeated 11 times

Jul 23 12:46:10 nam PAM-tacplus[771]: TACACS+ authorisation failed for [username]

Jul 23 12:46:11 nam last message repeated 5 times

Jul 23 12:48:10 nam PAM-tacplus[659]: TACACS+ authorisation failed for [username]

Jul 23 12:48:11 nam last message repeated 5 times

Version is:

Cisco Network Analysis Module (WS-X6380-NAM) 2.1(2)

Do the individual accounts still need to be created on the NAM web interface? That doesn't make any sense, but I can see logging for myself on the ACS for the NAM module access. Just no other people I've set up can, from my pc. No ACL's are actively blocking anyone either...

rmushtaq · ‎07-23-2003

Have you also setup your TACACS server for NAM Authentication and Authorization?. If not, then go through the steps listed at: http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/fam_mod/svc_namx/rel3_1_1/3_1_ug/admin.htm#87182 to make sure that you have not missed anything. As for the other issue, you can use TACACS+ either in addition to a local database or instead of a local database. (The local database is always checked first.) To use only TACACS+, you can eliminate the local database users by either of these methods:

* Use the NAM CLI rmwebusers command to remove only local users, not TACACS+ users, as they are administered separately on the TACACS+ server.

* From the Admin tab, click Users, then delete all local database users individually.

Caution: Do not delete all local database web users until you have verified that you can log into the NAM Traffic Analyzer as a TACACS+ user.

matt.austin · ‎07-23-2003

I figured out what I had wrong. Under the Group settings, there are some options that should be checked. I will provide a link to the information that I used to resolve my problem.

matt.austin · ‎07-24-2003

Here is a link to the information that I used to solve my problems...

http://www.cisco.com/univercd/cc/td/doc/product/lan/cat6000/fam_mod/x6380nam/rel2_1_1/re2_1_ug/admin.pdf

rmushtaq · ‎07-24-2003

This is the same procedure for which I posted the URL above earlier. Thanks