UCS AAA setup

regibbons · ‎12-13-2011

Well, I've been working on this off and on for a few months (yikes) now, and we are still using local authentication for UCS rather than tacacs. I am attaching a few screenshots of how things are set up that I believe encomasses everything, but am more than willing to provide more info if needed. The pics are - how the UCS looks, how AAA looks for the UCS, how the one user (me) I'm testing looks. I essentially did my best to follow the instructions in

http://www.cisco.com/en/US/docs/unified_computing/ucs/sw/gui/config/guide/1.4/UCSM_GUI_Configuration_Guide_1_4_chapter7.pdf

but to no avail. Essentially, I believe that the UCS isn't even trying to contact the ACS server. I tested that by trying (unsuccessfully) to log in to UCS 10 times, and it not locking my tacacs account. Any help greatly appreciated, and more information requested will be provided.

Thanks

Jennifer Casella · ‎12-14-2011

Russell -

Can you confirm that you can ping the ACS server from the UCS FI CLI? Does the admin aaa role exist on the UCS?

Jen

mipetrin · ‎12-14-2011

Russell,

Additionally, you can verify the user and tacacs from the NX-OS CLI with the following:

UCS-250-A(nxos)# test aaa server tacacs+ 10.10.10.10 myuser mypass

Thanks,

Michael

regibbons · ‎12-15-2011

Jen,

I can ping from local-mgmt. There is an admin role and a aaa role on the UCS.

Michael,

that command, when substituted for my values, gives me an error authenticating to server.

mipetrin · ‎12-15-2011

Hi Russell,

If it returns an error authenticating, sounds like there is a problem with the user/pass combination. Can you verify that they are correct?

Additionally, looking at the screenshots, you should select the "Shell(exec)" for the aaa-user on your ACS.

Setup TACACS Authentication for Cisco UCS

Let me know how you go.

Thanks,

Michael