[tac_plus] Tacacs+ and NX-OS

Manuel Strauch manuel.strauch at gmx.de
Thu Dec 6 12:25:55 UTC 2012 

Dear Sir or Madam,

i am using your program tac_plus now on several Cisco ios Devices (like 
Catalyst Switches) in the company i work for.
Now we are going to get Nexus Devices (like 3048tp) and I wanted to 
connect these devices also to my Tacacs server, but i have a small (?) 
problem with it.

I configured my test device like this:
---------------------------------
feature tacacs+
tacacs+ distribute
tacacs-server key 7 "wawyanb123"
ip tacacs source-interface mgmt0
tacacs-server test username test password test123
tacacs-server host 172.18.13.220 key 7 "wawyanb123"
tacacs+ commit
ip access-list copp-system-acl-tacacsradius
   10 permit tcp any any eq tacacs
   20 permit tcp any eq tacacs any
class-map type control-plane match-any copp-tacacsradius
   match access-group name copp-system-acl-tacacsradius
   class copp-tacacsradius
tacacs-server directed-request

aaa group server tacacs+ ACS
aaa authentication login default group ACS
aaa authentication login console group ACS
aaa accounting default group ACS
aaa authentication login error-enable
---------------------------------

My serverside config is like the following:
---------------------------------
   group = netadmin {
        default service = permit
        acl = LEVELBASED-ACL
        service = exec {
                idletime = 5
                timeout = 15
                shell:roles="network-admin"
        }
}


user = root {
         login = des "gDdcHHV9ThP02"
         enable = des "gDdcHHV9ThP02"
         member = netadmin
         name = "root"
}
---------------------------------
This are the configurations i found on several websites, which should work.

The device and the server are succuesfull communicating, but it doesn't 
matter what i type into the Loginpanel, i can't login with the Logins i set.

Errormessages:
On the device:
Nexus 3000 Switch
login: root
Password:
Login incorrect

In the syslog of the tacacs server:
Dec  6 13:20:03 NagiosNG tac_plus[32545]: login failure: root 
172.18.13.223 (172.18.13.223) 3001

In both logs, "tacwho.log" and "tac_pluss.acct" is nothing shown, about 
my login trys.

Now my problem in a few words:
I thought i configured my device and my server well for a good 
communication between both, but it seems that there is a failure in it, 
but i can't figure out where the failure were made, so maybe you can 
help me with this problem.

If you need any other log entries, i can send you anything you need.

Thank you very much in advance for your answer,
Manuel Strauch

More information about the tac_plus mailing list