Cisco AAA/Identity/Nac :: TACACS Nexus 5548 Authorization?
Jan 3, 2012
I am having an issue with authorization on the Nexus 5548. Note: The tacacs configuration has and still works correctly with all non-Nexus gear.
Authentication succeeds, and initiatial authorization passes. However, all sh and config commands fail, though AAA Autho Config-Commands .... and Commands Default Group <Grp Name), are configured.
ACS generates the following error: 13025 Command failed to match a Permit rule. The Selected Command Set is DenyAllCommands. I created an AllowAll, but am unclear how to associate this with Access Policy.
View 1 Replies
ADVERTISEMENT
Dec 12, 2011
I am working for an Air Force client and am adding a handful of 5548s into their network. My question is how Tacacs+ is configured. My hands are tied in regards to testing in an operational environment so I want to ensure the configs are correct prior to deployment/maintenance window and avoid any remote issues.
I have read the "Cisco Press - TACACS+" config guide and it was somewhat vague in regards to operational deployment.
My basic NX-OS configs are as follows:
- feature tacacs+- tacacs-server key 7 "002A52xxxxxxxxxxxxxxxx8"- tacacs-server host 128.xx.xx.xx timeout 10- tacacs-server host 128.xx.xx.xx timeout 10- tacacs-server directed-request
When I try to set the following command string, aaa authentication login default group tacacs+ local, the NX-OS asks me the input a "server group name". There are no server groups configured. Do I need them? Can I get by without configuring a group name because the client probably will not.
The Cisco IOS devices are configured with normal aaa authentication/authorization parameters. Also, do the VTY ports default to sshv2 and the correct tacacs+ parameters with the "transport input ssh" command (not available)?
View 3 Replies
View Related
Sep 13, 2011
I tried to configure TACACS+ authentication / authorization for NCS via ACS 4.2. For that I followed the configuration guide:
1. Configured the service for NCS with HTTP (see attachment)
2. Added the tasks to the user (see attachment)
When I try to login on the NCS it fails, in the logs on the NCS I see the following lines:
09/14/11 16:53:03.333 TRACE [system] [http-443-7] [TACACS+ AAAModule] Creating authorization socket - To Server: 192.168.49.14 - For User: netadmin
09/14/11 16:53:03.335 TRACE [system] [http-443-7] [TACACS+ AAAModule] Sending authorization request packet - To Server: 192.168.49.14 - For User: netadmin
09/14/11 16:53:03.336 TRACE [system] [http-443-7] [TACACS+ AAAModule] Receiving authorization response packet - From Server: 192.168.49.14 - For User: netadmin
[code].....
View 7 Replies
View Related
Mar 4, 2012
I can get it to authenticate. But I've read some posts on ACS 4.2 and authorization, but I don't find anything similar.I want to control down to what commands the authenticated user can run. I want the defintion to come from the ACS server, or at least control it from the ACS server. I want to minimize the changes on the JunOS side,but if it can't be easily done, I'll change the JunOS side.
View 10 Replies
View Related
Nov 14, 2012
ACS 5.3 configured with two rules, 1 rule for standard level 15 access for the Network Engineers and a 2nd rule to allow some limited access to switches: The limited access account has enough command set access to change the vlan on a switchport, so Configure Terminal, Interface FAx/x and switchport access vlan x.
Switch configuration:
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization console
aaa authorization config-commands
aaa authorization exec default group tacacs+ local
aaa authorization commands 0 default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa session-id common
Everything works well and the limited access users can only perform the commands i've setup.
Problem:The problem i've encountered is when one of the network engineers makes a change that would stop the device from being able to see the ACS server it stops allowing any commands to be typed in the router/switch. Additionally if you then connect to the device and login with the local username and password the device then waits for it to hit the TACACS server timeout for every command you enter. This is obviously very slow and painful for the engineer.
Question:Is there a way to set this up so the engineer logging in with full Level 15 access doesn't have to have each command authorized by the ACS server but still allow the limited access accounts to be able to make interface changes?
View 1 Replies
View Related
Jan 15, 2012
Noticed tacacs authorization logs when you change password for a user ?? in authorization logs I can see the new password but same I can not see in accounting logs ? is it a normal behaviour ?? or do we need to do something to hide the password in authorization logs ?
For example if i type command username xyz priv 15 secret cisco 123
I see this command in accounting logs as uername xyz oriv 15 secret *** where as in tacacs authorization logs it shows username xyz priv 15 secret cisco 123
View 1 Replies
View Related
Feb 2, 2012
We have a group in TACACS ACS4.2. I configure it can do show command. When logged, it can do show command some parameters, like show ip interface, but it cannot do show running-config. it says "command authorization failed".
View 2 Replies
View Related
Feb 2, 2013
I am trying to configure ACS 5.2 to do all authentication against Microsoft AD, but use local identity groups to determine TACACS+ authorization.
View 1 Replies
View Related
Nov 5, 2011
provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
View 8 Replies
View Related
Jan 3, 2012
While working in a 3560 all of a sudden I received the message "command authorization failed" while trying to issue certain commands.
It appears I lost my priv 15 authorization. We have seen this before, we do not have access to the ACS to trouble shoot the issue.I tried logging in a 2nd and 3rd time using tacacs and received the same error whenever I issued a command such as dir flash: , copy tftp flash or show run. At the time I was trying to copy IOS to the switch, I had a co-worker log in and it was fine for him and he completed the copy.
Once completed I logged back in and all was fine again. We suspect an issue with ACS? possibly a timeout of our TACACS authorization ?
View 1 Replies
View Related
Apr 9, 2012
I see there is a similar post for Nexus 5000 to ACS 5.2. Identical symptoms. The supervisor crashed and switched to secondary. Is there a comparable field for ACS 4.1 that needs to have something in it? 2012 Apr 9 11:07:55 va-core02 %$ VDC-1 %$ %SYSMGR-2-SERVICE_CRASHED: Service "Tacacs Daemon" (PID 9390) hasn't caught signal 11 (core will be saved). 2012 Apr 9 11:07:55 va-core02 %$ VDC-1 %$ %SYSMGR SYSMGR_AUTOCOLLECT_TECH_SUPPORT_LOG: This supervisor will temporarily remain online in order to collect show tech-support. This behavior is configurable via 'system [no] auto-collect tech-support'.
View 2 Replies
View Related
Jul 18, 2011
how to add tacacs custom attribute to ACS 4.2 for Nexus 1000V:shell:roles="network-admin admin-vdc"In the interface configuration I've added new service, service - shell, protocol - tacacs+.In the group settings I've enabled this attribute configuration. And it is not works. Default privilege level is assigned to any user with access allowed.
View 8 Replies
View Related
May 26, 2011
I m trying to setup a Tacacs config onto my new NEXUS 5000 series.Nevertheless the authentication doesn't work.Actually I followed the config guide but something is not working or missing.I have setup everything through VMWARE with ACS installed on a Windows server.
View 20 Replies
View Related
Jun 6, 2011
I am experiencing an issue where NX-OS on our 5010s is allowing both Local AND TACACS authentication concurrently. If I don't configure any aaa authorization commands, the locally logged in user has unmitigated access to the device. Once I enable aaa authroization, all commands issued by the locally logged in user are denied by ACS, but they can still log in to the device. When I comb through the logs on the ACS server, I see successful logins when TACACS credentials are used, and also the failed attempts when the locally configured credentials are used. On the switch, however, I receive "%TACACS-3-TACACS_ERROR_MESSAGE: All servers failed to respond" when using locally configured credentials on the switch itself. We are running ACS v4.2.
View 6 Replies
View Related
Dec 5, 2011
I'm looking for Cisco ISE v1.1 to use the following licensing feature. url...Endpoint is dynamically profiled by Cisco ISE and assigned dynamically or statically to an endpoint identity group. Cisco ISE authorization rules do not use this endpoint identity group.
View 2 Replies
View Related
May 5, 2013
I have a cisco box Nexus 5548 box i need to setup.
what is the basic configuration i need to do so as to setup the following:
1. Management interface
2.Reduce the switch priority to join other switches in the network
3.setup etherchannel etc
View 1 Replies
View Related
May 1, 2011
I know that with the Nexus switches that we must use the management port and the management vrf for services such as NTP, SNMP etc. I have this configured on my 5548 and it still will not sync with NTP. [code]
View 5 Replies
View Related
Apr 9, 2013
I have problem with syncing Nexus and NTP server. MGMT IP adress of Nexus is 10.24.130.137 and address of NTP server is 10.242.32.12, there is full routing and NTP readability between Nexus and NTP but Nexus is UN synced:
N5k-04-A# sh ntp peer-status
Total peers : 1
* - selected for sync, + - peer mode(active),
- - peer mode(passive), = - polled in client mode
remote local st poll reach delay
------------------------------------------------------------------------
=10.242.32.12 10.24.130.137 2 16 377 0.00310
Config of NTP is:
N5k-04-A# sh run ntp
!Command: show running-config ntp!Time: Wed Apr 10 14:41:35 2013
version 6.0(2)N1(2)ntp server 10.242.32.12 use- vrf management ntp source-interface mgmt0ntp logging.
I captured traffic with wire shark and see something strange in NTP Packet: "Reference ID: Un identified reference source '...'"
I have one Catalyst 2960 on same sub net and it's synchronized with same NTP without any problems. Here is snapshot of wire shark capture:
P.S. Don't bother about malformed packet, it's probably because of using ERSPAN.
View 2 Replies
View Related
Dec 20, 2012
I am unable to discover 2 Nexus 5548 with the SAN client of DCNM 5.2(2e)
These Nexus are used like LAN and SAN switch. Each Nexus is a SAN fabric. I would want to use DCNM in order to configurate the zone/zoneset via GUI. These Nexus 5548 run 5.1(3)N2(1b) release.
The Nexus ARE NOT managed via the Mgmt interface (OOB) but they are managed via an interface vlan (InB)
I could not configure rightly
- the snmp-server user (SNMP user V1/v2 or V3 + group ? ) CLI on Nx
- to configure the discovery in order that DCNM discover each fabric either from web GU interface or java SAN client
View 1 Replies
View Related
Feb 7, 2012
I have Nexus 5548UP, Version version 5.0(3)N2(2b), with a flat configured network. Customer has put several IP subnets on one Vlan. In one subnet is an Siemens SPS wich connects to a Server. This SPS is not reachable since I send a ping from the N5k, then everything works fine. Sniffering that port no arp requests from the N5k are captured. That hapens with every device (Siemens SPS) in the network. Every other clients and server are working fine and there are no problems.
View 1 Replies
View Related
May 10, 2013
I have a Nexus 5548 Recently restart itself for no reason I ran the command:
sh system reset-reason
----- reset reason for Supervisor-module 1 (from Supervisor in slot 1) ---
1) At 469203 usecs after Sat May 11 14:02:07 2013
Reason: Reset triggered due to HA policy of Reset
Service: eth_port_sec hap reset
Version: 5.1(3)N1(1a)
sh processes log details
Start type: SRV_OPTION_RESTART_STATELESS (23)
Death reason: SYSMGR_DEATH_REASON_FAILURE_SIGNAL (2)
Last heartbeat 6.09 secs ago
RLIMIT_AS: 189894144
System image name: n5000-uk9.5.1.3.N1.1a.bin
I've been searching in Google/Cisco about the eth_port_sec hap reset and cannot find any reason, just something about the same error but in different technology:
[URL]
CSCub36000 #SNMP polling on eth_port_security objects no longer causes an eth_port_sec hap reset.I just to want to be sure, is the same reason...Or do you know something than can cause it on a Nexus Switch?
View 4 Replies
View Related
Jul 29, 2012
We have just purchased and installed the L3 daughter card for our 5548UPs and have also installed the L3 Enterprise Services pkg. The problem is, I cannot enable the EIGRP feature even though we have the Ent Svc lic. After doing a little more research, I see that the Lan Base lic is required to enable the L3 card and many of the L3 features (the card is currently in an "offline" state).
From what I have read on this board, the Lan Base lic is a free license that should be included with the L3 daughter card -- however, Cisco licensing will not issue me that license without a sales order (even though a Nexus engineer said it was included, the licensing group will not issue with an official sales order). Well, our vendor ordered the card and the Ent Svcs lic but for some reason we were never sent a PAK for the LAN Base lic.
View 1 Replies
View Related
Feb 12, 2012
using the 55xx as a L3 Distribution switch or even as a Core. By enabling the L3 features does it allow you enabled L3 SVI's for VLAN interfaces or are there interfaces on the daughter card that are used for routing instead?
View 5 Replies
View Related
Jun 11, 2012
The Nexus 5548 is running 5.1.3.N2.1a and has the L3 daughter card (N55-D160L3)I have the EIGRP feature enabled. By the way, when doing a 'sh feature' four EIGRP features show up like this: [code] To create the L3 SVI, I go into config mode and attempt to type 'interface vlan 10'. but this doesn't work. These are the only options under the keyword 'interface':
- ethernet
- loopback
- mgmt
- port-channel
I must be missing something simple but can't seem to see what that is. What do I need to do in order to create an L3 SVI on this 5548?
View 1 Replies
View Related
Aug 15, 2012
I want to configure management for some Nexus 5548's?I wanted to manage the switches via an SVI. I have read the following document which gives details about the Management SVI but doesn't answer all questions.[URL]I am not running any layer 3 functionality on the switch, no layer3 license (which it mentions in the above link) Will I still be able to create a management SVI. I know I will need to enable the feature 'interface-vlan' to setup a Management SVI, does that require a license?
View 6 Replies
View Related
Sep 4, 2012
I encountered problem while trying to copy file from Nexus 5548 to my ftp server (proteus - 192.168.12.220 - the Nexus switch is able to resolve name proteus correctly to 192.168.12.220). See below the working and not working scenarios. I have serached through Cisco Bug Database but unable to find any related bug associated to this problem. This Nexus is running the following NX-OS version.
n5000-uk9-kickstart.5.1.3.N1.1a.bin
n5000-uk9.5.1.3.N1.1a.bin
Working (without specifying the username and full path)
[Code].....
View 1 Replies
View Related
Nov 12, 2012
We have two 5548 switches connected to a pair of 6509 running in VSS mode. I am trying to understand the benefit of having bridge assurance on the uplink ports.
If we have the command spanning-tree port type network enabled we cannot do a non disruptive upgrade. If there is bridge assurance on the uplink it warns you of this. Yet if I do not run bridge assurance on the uplinks I can do a upgrade without any disruption.
Why in god would I enable bridge assurance on this VPC link if I cannot do a non disruptive upgrade?
View 3 Replies
View Related
Feb 8, 2012
I am having some issue with SPT with the following topology.Pair of Nexus 5548 and 3750 are configured with MST instance 1.when enable STP as MST on Dell switches , it does not recognise it and create loop but if We change MST0 (only tried on one 3750 and two Dell switches in triangle in lab). its work fine.Does Dell switches only understand MST0 ?Can Nexus 5548 support MST0 if we change from MST1 and what will be effect?
View 4 Replies
View Related
Jan 21, 2013
I need to upgrade the code on our two Nexus 5548's in order to facilitate the installation of a few FEX's, but due to the fact that seemingly all of my port-channels are in the STP DESG forwarding state, an ISSU upgrade is not possible. Everything connected directly to our 5548's are utilizing VPC's, including an HP Blade chassis, and several Netapp devices. If I follow the normal upgrade route, should I experience an outage, or should the secondary switch just continue passing traffic?
View 1 Replies
View Related
Sep 18, 2012
I'm trying to setup SNMPv3 on a Nexus 5548. We are using SNMPv3 on 3750's without any issue, but haveing issues getting it setup on the Nexus.I have been using the following link for the setup following it line by line. [URL]The part that I'm having issues with is when I try to enforce SNMP message encryption on a per user basis. When I issue snmp-server user (username) enforcePriv, I get warning: unable to update CLI users database. reason: role does not exist grounp not found.
View 1 Replies
View Related
Nov 20, 2011
I am using cisco Nexus5548 and trying to enter a snmp community, but it doesn't accept it. I enter a community name that is less than 32 characters, with symbols, numbers and letters.
View 2 Replies
View Related
May 9, 2013
I am setting up a new environment with 2 5548's and some 2248TP-1GE Fex's and Im running into an issue. I have the peer link and peer-keepalive link that appear to be good. When I configure the fex and vpc for the fex manually on each switch without pre-provisioning the slot the fex comes online and everything appears to be good. I can see all the ineterfaces when doing a sh int br and the sh fex detail shows all good. When I do the exact same thing but pre-provision the slot the fex stays in an offline state. Ive tried disabling the port(s) connected to the fex while configuring everything then enabling them but same thing. [code]
View 5 Replies
View Related
Aug 13, 2012
regarding PVLANs and the Nexus, my understanding is that we cannot configure Private VLANs on a FEX trunk port with a NX-OS release older than 5.1(3)N2(1) for the Nexus5548... Is there any known workaround for this limitation (appart from performing a SW upgrade)?
View 2 Replies
View Related
