Can you test with telnet? There is also a test command you can issue from the MDS command line to validate a user/password against a specific tacacs+ server. the syntax is 'test aaa server tacacs+ x.x.x.x username password' You may want to use this to test the tacacs+ operation. I'm not sure what that message means, but it almost looks like the username being sent from the MDS is not valid. It might be something like firstname.lastname@example.org or something like that depending on how the SSH client sends the username/pass into the MDS upon login. Also remember that you will need to have your tacacs+ server pass back a role for the user, or even if the password is valid, the user will end up with 'network-operator'. TACACS+ uses 2 separate flows to authenticate and then authorize a user. First the user/pass is checked, then a second flow is used when the MDS 'asks' the tacacs+ server what role the user should get. The role name passed back by the server must be configured in the MDS, or the user gets' network-operator'. The role name is passed back using the 'cisco-av-pairs' attribute.
Also, your configured 'key' should match what is configured in the MDS tacacs-server host line, and in the tacacs+ server configuration for the MDS as a valid device to send authentication requests to the tacacs+ server.
Here is how I configured user test with password test2 and role = barroom-keeper in a program called TAC_PLUS.
Yes...it is working as designed. The MDS will only use the local user database if the TACACS+ server is not reachable. This is not the same as getting a negative response for the user. If configured to use the TACACS+ to authenticate users, it will send auth request to the TACACS+ server. The only time the user would be validated against the local database is if the TACACS+ server did not respond at all.
VMware Trunk Port Group is supported from ACI version 2.1
VMM integration must be configured properly
ASA device package must be uploaded to APIC
ASAv version must be compatible with ACI and device package version
In the Previous articles of ACI Automation, we are using Postman/Newman as the Rest API tool to automate the ACI Configuration.
In this article I’m going to discuss on usin...
One of the first steps in building your ACI Fabric is to go through Fabric Discovery. While Fabric Discovery is usually a straightforward process, there are various issues that may prevent you from discovering an ACI switch. This article wil...