AAA/Identity/Nac :: Nexus 7000 Crashes Using Tacacs To ACS 4.1 Server
Apr 9, 2012
I see there is a similar post for Nexus 5000 to ACS 5.2. Identical symptoms. The supervisor crashed and switched to secondary. Is there a comparable field for ACS 4.1 that needs to have something in it? 2012 Apr 9 11:07:55 va-core02 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "Tacacs Daemon" (PID 9390) hasn't caught signal 11 (core will be saved). 2012 Apr 9 11:07:55 va-core02 %$ VDC-1 %$ %SYSMGR SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG: This supervisor will temporarily remain online in order to collect show tech-support. This behavior is configurable via 'system [no] auto-collect tech-support'.
View 2 Replies
ADVERTISEMENT
May 2, 2012
I have a cisco nexus 7000 switch and a cisco ACS 5.2. I would like to setup the switch to be able to authenticate users with tacacs+ using RSA secureid tokens when they try to logon to the switch.
View 1 Replies
View Related
Jan 3, 2012
I am having an issue with authorization on the Nexus 5548. Note: The tacacs configuration has and still works correctly with all non-Nexus gear.
Authentication succeeds, and initiatial authorization passes. However, all sh and config commands fail, though AAA Autho Config-Commands .... and Commands Default Group <Grp Name), are configured.
ACS generates the following error: 13025 Command failed to match a Permit rule. The Selected Command Set is DenyAllCommands. I created an AllowAll, but am unclear how to associate this with Access Policy.
View 1 Replies
View Related
Jul 18, 2011
how to add tacacs custom attribute to ACS 4.2 for Nexus 1000V:shell:roles="network-admin admin-vdc"In the interface configuration I've added new service, service - shell, protocol - tacacs+.In the group settings I've enabled this attribute configuration. And it is not works. Default privilege level is assigned to any user with access allowed.
View 8 Replies
View Related
May 26, 2011
I m trying to setup a Tacacs config onto my new NEXUS 5000 series.Nevertheless the authentication doesn't work.Actually I followed the config guide but something is not working or missing.I have setup everything through VMWARE with ACS installed on a Windows server.
View 20 Replies
View Related
Mar 24, 2013
i am trying to assign a right role for a user who authenticates to nexus 7k switch via radius. i am using cisco ISE version 1.1.1.268 and the nexus version is 5.0.2,I have created a role on nexus.
View 1 Replies
View Related
Jun 6, 2011
I am experiencing an issue where NX-OS on our 5010s is allowing both Local AND TACACS authentication concurrently. If I don't configure any aaa authorization commands, the locally logged in user has unmitigated access to the device. Once I enable aaa authroization, all commands issued by the locally logged in user are denied by ACS, but they can still log in to the device. When I comb through the logs on the ACS server, I see successful logins when TACACS credentials are used, and also the failed attempts when the locally configured credentials are used. On the switch, however, I receive "%TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond" when using locally configured credentials on the switch itself. We are running ACS v4.2.
View 6 Replies
View Related
Jan 23, 2012
Have you ever found the problem that if I set two tacacs server in my N7K and the primary tacacs server fail, won't switch over to another tacacs server.
View 1 Replies
View Related
Jun 10, 2013
We have an ASR 9010 with IOS XR, and we are making the configuration to connect to a tacacs+ server, this tacacs+ server works and is givins service to many other MPLS equipments. We have been following the guide:
Configuring AAA Services on
Cisco ASR 9000 Series Routers
but we have had a lot of troubles, in fact we have loose the administration of the box, at this moment the only lines that are in the ASR900 are: [code]
View 8 Replies
View Related
Mar 15, 2010
I've been configured my device 6506-9 with TACACS+ server authentication: [code]
but when I tried to access the device only uses authentication local but not uses TACACs (with username/password defined) it can be an error in configuration? in the other devices of network this works properly, only it's wrong in Cat6506-E
View 6 Replies
View Related
Sep 28, 2011
Running ACS 5.1 appliance, and am seeing slow repsonse on TACACS authentications due to the ACS trying to reach overseas AD servers and failing. Is there any way to configure a /etc/host/ file locally on the ACS in order to force the appliance to use specific AD servers for authentication? As I understand the process currently, the ACS appliance will query the top-level domain and get a list of all the AD servers in DNS. In my case, this would include the AD servers overseas that we do not want to use.
View 1 Replies
View Related
Jan 17, 2012
I have two Nexus 5520 running 5.0(3)N1(1c).
I have both boxes heading off to ACS for TACACS lo gin authentication and for command authorization. When I first set things up everything works fine. I have a shell profile configured in ACS with Cisco-av-pair*shell:roles="network-admin" to set the network-admin role. I even have command sets configured to deny the use of configure terminal as I am using switch configuration profiles. Everything runs fine. User lo gins are authenticated by ACS and users have the correct command set applied to them.
The problem comes when I make a change to a shell profile in ACS. Even something as simple as changing the name of a shell profile causes the 5520's to crash as soon as I try to log on. If I unplug the management link so that the TACACS server is unavailable I can log on fine with the local admin user.
The NEXUS console reports this error. (amongst many others)
EDNAM-NEXUS-2 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "Tacacs Daemon" (PID 4331) hasn't caught signal 11 (core will be saved).
A show system reset-reason shows:
EDNAM-NEXUS-2# sh system reset-reason
----- reset reason for Supervisor-module 1 (from Supervisor in slot 1) ---
1) At 389 usecs after Wed Jan 18 12:32:49 2012
Reason: Reset triggered due to HA policy of Reset
Service: Tacacs Daemon hap reset
Version: 5.0(3)N1(1c)
Could this be a bug with Nexus/ACS?
View 3 Replies
View Related
Mar 15, 2013
I have been tasked to replace the existing Cat 6500 and 3750 switches by Nexus 7000 and Nexus 2000.I was told initially my boss plans to get 2 x Nexus 7000 and then eventually blow up to 4 x Nexus 7000s.For Nexus, is there a list of tasks / points that i need to consider for building the initial design?
Can i just link the Nexus 7000 like the following?
N7k-A ========= N7k-B
| |
lots of N2ks lots of N2ks
View 12 Replies
View Related
Apr 13, 2011
I can authenticate between our MDS 9216i switch and RSA radius server but my role does not come across. The logged in user is a network-operator not admin. In the AV Pair i have defined shell:role*network-admin but it doesnt seem to come across
View 4 Replies
View Related
Oct 8, 2012
I have a little problem. My customer is using TACP-PLUS ALPHA (F4.0.3.alpha.v9). Well, the same user than have access to another Cisco equipment, with user test1 by sample, can configure anything in the equipment. But in the nexus 5000, el command "show user-account" indicate just the "network-operator" role. Well, I patch this situation with the next commands:
aaa authorization config-commands default group TACSERVER local
aaa authorization commands default group TACSERVER local
Well, when I do a telnet into the nexus, I can shut the interfaces, config and anything. But, when I ingress by console, I can not to configure the interfaces.I understand that the Nexus 5000 the Tacacs configuration is global for VTY and Console (different in the Cisco equipment Routers by sample).
View 1 Replies
View Related
Dec 27, 2010
i wanted to know if i can and when i will be able to run the nexus 7000 as a Fully MPLS PE router (L2VPN, L3VPN etc..) ?
the interfeces need to be 10Gbps so i need to use the 8 ports & the 32 ports M1 modules.
View 15 Replies
View Related
Dec 12, 2011
I am working for an Air Force client and am adding a handful of 5548s into their network. My question is how Tacacs+ is configured. My hands are tied in regards to testing in an operational environment so I want to ensure the configs are correct prior to deployment/maintenance window and avoid any remote issues.
I have read the "Cisco Press - TACACS+" config guide and it was somewhat vague in regards to operational deployment.
My basic NX-OS configs are as follows:
- feature tacacs+- tacacs-server key 7 "002A52xxxxxxxxxxxxxxxx8"- tacacs-server host 128.xx.xx.xx timeout 10- tacacs-server host 128.xx.xx.xx timeout 10- tacacs-server directed-request
When I try to set the following command string, aaa authentication login default group tacacs+ local, the NX-OS asks me the input a "server group name". There are no server groups configured. Do I need them? Can I get by without configuring a group name because the client probably will not.
The Cisco IOS devices are configured with normal aaa authentication/authorization parameters. Also, do the VTY ports default to sshv2 and the correct tacacs+ parameters with the "transport input ssh" command (not available)?
View 3 Replies
View Related
Feb 14, 2012
I just bought 2 Nexus 7000 to upgrade my primary/Production Data Center from 6509/MSFC. I'll keep the 6509E/SUP720 for the DR Data Center. I have ordered two 10Gig Wan Pipes between the Production and DR. In other words between the Nexus 7000 and the 6509E.
My problem is that i do not know the best way to do the routing between the 2 Data Centers. Currently I have MPLS with a provider connecting the 2 Data Centers using BGP on the CEs and I'm running eigrp in locally in the Cores. After the 10Gig comes to life, the MPLS will go away.
My QUESTION: Should i run ibgp between the 2 Nexus and ibgp between the 2 6509E/sup 720 AND THEN run ebgp between the Nexus and the 6509/sup 720 over the 10Gig WAN? OR should i collapse everything into one eigrp domain/AS and just run Eigrp between the Nexus and 6509E/Sup 720 over the 10Gig Wan?
View 1 Replies
View Related
Oct 23, 2011
I work in an organization where we recently upgraded our core switches to Nexus 7000. Everything is set up well but we still keep getting this annoying message when we log in the switch. Also the time taken to login into the switch (ssh and telnet) is longer than normal. It is not affecting the network in any way but my concern is somewhere something is wrong and it will give us trouble in the future. How to troubleshoot the cause of this error message. [code]
View 3 Replies
View Related
Apr 6, 2012
is the LMS 4.1 supports Nexus 7000 baundle ?
View 2 Replies
View Related
Sep 18, 2012
I have such input data:
2xN7K-C7010 - Nexus7000 C7010 (10 Slot) Chassis
2xN7K-M132XP-12 - 32x10Gbps
NX-OS version 6.1(1)
I have enable (by default) QoS feature on them:
N7k# show policy-map interface brief
Interface/VLAN [Status]:INP QOS OUT QOS INP QUE OUT QUE
================================================================================
port-channel1 [Active]: default-in-po default-out-p
port-channel2 [Active]: default-in-po default-out-p
port-channel10 [Active]: default-in-po default-out-p
Ethernet1/1 [Active]: default-in-po default-out-p
[code]....
View 3 Replies
View Related
Jun 11, 2012
I am working on a DataCenter architecture where we would like to implement Nexus 7000, For the time being, there only one "context" but we may take the opportunity to implement VDC in a later future, I was not able to find a clear answer on the following :
Can we add the VDC licence & configure a new VDC on a Nexus 7000 running without VDC ? I suppose this is possible. but does it need to have the whole configuration changed or adding a VDC can be done without any interruption on the current environnement ?
View 2 Replies
View Related
Apr 15, 2013
We have Nexus 7000s configured for sampled netflow. We have tools that should reconstruct the sampled flow records for management displays. Most tools require the flow record, option and template to be sent in order to reconstruct the sampled flow record. We have captured some of this traffic and noticed that the template contains "SamplerMode": Unknown (1) [See Nexus 1-1.png]. Is this usual or have we not include commands required for proper operation? [code]
View 2 Replies
View Related
Nov 25, 2012
I am new to Cisco Nexus 7000 Series NX-OS System of appliances.I am looking for type of log events that are getting generated by CISCO Nexus 7000 switches. Need some documents which give me this references & some documents which have a log line explained.
View 2 Replies
View Related
Mar 5, 2012
I config LMS to manage many network devices with the same credential. However, only the Nexus 7000 fail to be archive configuration. LMS log said during telnet, the authentication fail 3 times. (I didn't use any authen server. The username and password are local. and in DCR page, i only configure " Primary Credential"l, nothing in "Auto Update Credential")Then i do a CAD check and fail also. I open the RME/CAD log, comparing with those successful log, there is one line different:[ Mon Mar 05 16:04:27 SGT 2012 ],WARN ,[main], com.cisco.nm.rmeng.inventory.cda.CdaFacade,getCdaHandlerIf, 163,CdaAG is not implemented for the device145.240.152.1 What does it mean "CdaAG is not implemented for the device?
View 1 Replies
View Related
Jan 16, 2011
I have configured my Nexus 7018 and 5548 as follow (see diag attached).Both 7000 and 5500 are vPC pair(po1and po2). Now I have created port-chanel between 7018and 5548 as port channel PO3 on 5500. Would it give me 20g bandwidth as PO3?or 10g only uplink to 7018? Do I need to config all four 10g links in PO3 on both 5500 and 7000 switches to achieve max b/w and failover?
View 4 Replies
View Related
May 8, 2012
We have ordered the following 10 line items , but only got 3 licenses , unless the 3 licenses somehow have all the licenses integrated into the 3 part numbers below, but I suspect not.
Licenses attached from Cisco:-
N7K-C7009-XL-SBUN Nexus 7009 Scalable Feature License x 1
N7K-C7009-SBUN-P1 Inc LAN,ADV,TRS,EL2,DCNM,DCNMSAN,MPLS,SAN,XL -Promotion x 1
[Code].....
View 3 Replies
View Related
Jun 26, 2012
I've configured N7K to export layer 2 flows. Using 2 different flow collectors (open source and commercial), gaps/drops in the reported traffic are observed on a periodic basis.Problem doesn't seems to be with the exporters, hence I wondering if netflow configuration on N7K can be tweaked to address this symptom. Using the 'show exporter' command, no errors/drops are observed. [code]
View 2 Replies
View Related
Apr 30, 2012
Where to find the configuration for TCP window sizing or scaling on the nexus 7000. Also, if the Nexus 7000 handles packet traffic through-put from things like CIFS differently or does it just pass the packet straight through.
View 1 Replies
View Related
Dec 9, 2012
Should I install any special license to enable vrf within Nexus 7000 VDC? I observed that vrf routing instance is not enabled in the VDC.
View 2 Replies
View Related
Aug 4, 2010
Can the Nexus 7000 provide NTP to the rest of my network? Can it be an NTP server? I have the followign ntp configuration on it, and have used the commit command, but it seems to be ignoring any NTP requests from other devices. [code]
View 8 Replies
View Related
Mar 3, 2013
I am configuring NTP on a new Cisco Nexus 7000 running version 6.1(2). NTP is working properly between the access switches and Nexus, however when configuring Authentication, NTP is not working anymore.
confguration:
Nexus 7K server
=============
ntp server x.x.x.x
ntp peer q.q.q.q
ntp server e.e.e.e
ntp server r.r.r.r
ntp source-interface Vlanx
[code]...
why NTP authentication is not working !!!!! on Nexus 7000
View 3 Replies
View Related
Jan 8, 2013
I installed mpls feature set in N7K.I was able to enable feature l3vpn.Then, I tried enabling feature ldp. license not installed. ldp feature will be shut down after grace period of approximately 120 day(s).
I don't see any TRANSPORT_SERVICES_PKG in the NX-OS licensing guide.However, there is LAN_TRANSPORT_SERTICE_PKG. But I believe this is not for LDP.
View 9 Replies
View Related
