[tac_plus] Tacacs+ and NX-OS

Daniel Schmidt daniel.schmidt at wyo.gov
Thu Dec 6 19:09:25 UTC 2012 

Try pap = des.  Also, checkout tacacs.org for a write up I did, back when
I had time to work on that sort of things.

-----Original Message-----
From: tac_plus-bounces at shrubbery.net
[mailto:tac_plus-bounces at shrubbery.net] On Behalf Of Manuel Strauch
Sent: Thursday, December 06, 2012 5:26 AM
To: tac_plus at shrubbery.net
Subject: [tac_plus] Tacacs+ and NX-OS

Dear Sir or Madam,

i am using your program tac_plus now on several Cisco ios Devices (like
Catalyst Switches) in the company i work for.
Now we are going to get Nexus Devices (like 3048tp) and I wanted to
connect these devices also to my Tacacs server, but i have a small (?)
problem with it.

I configured my test device like this:
---------------------------------
feature tacacs+
tacacs+ distribute
tacacs-server key 7 "wawyanb123"
ip tacacs source-interface mgmt0
tacacs-server test username test password test123 tacacs-server host
172.18.13.220 key 7 "wawyanb123"
tacacs+ commit
ip access-list copp-system-acl-tacacsradius
   10 permit tcp any any eq tacacs
   20 permit tcp any eq tacacs any
class-map type control-plane match-any copp-tacacsradius
   match access-group name copp-system-acl-tacacsradius
   class copp-tacacsradius
tacacs-server directed-request

aaa group server tacacs+ ACS
aaa authentication login default group ACS aaa authentication login
console group ACS aaa accounting default group ACS aaa authentication
login error-enable
---------------------------------

My serverside config is like the following:
---------------------------------
   group = netadmin {
        default service = permit
        acl = LEVELBASED-ACL
        service = exec {
                idletime = 5
                timeout = 15
                shell:roles="network-admin"
        }
}


user = root {
         login = des "gDdcHHV9ThP02"
         enable = des "gDdcHHV9ThP02"
         member = netadmin
         name = "root"
}
---------------------------------
This are the configurations i found on several websites, which should
work.

The device and the server are succuesfull communicating, but it doesn't
matter what i type into the Loginpanel, i can't login with the Logins i
set.

Errormessages:
On the device:
Nexus 3000 Switch
login: root
Password:
Login incorrect

In the syslog of the tacacs server:
Dec  6 13:20:03 NagiosNG tac_plus[32545]: login failure: root
172.18.13.223 (172.18.13.223) 3001

In both logs, "tacwho.log" and "tac_pluss.acct" is nothing shown, about my
login trys.

Now my problem in a few words:
I thought i configured my device and my server well for a good
communication between both, but it seems that there is a failure in it,
but i can't figure out where the failure were made, so maybe you can help
me with this problem.

If you need any other log entries, i can send you anything you need.

Thank you very much in advance for your answer, Manuel Strauch





_______________________________________________
tac_plus mailing list
tac_plus at shrubbery.net
http://www.shrubbery.net/mailman/listinfo.cgi/tac_plus
E-Mail to and from me, in connection with the transaction 
of public business, is subject to the Wyoming Public Records 
Act and may be disclosed to third parties.

More information about the tac_plus mailing list