[c-nsp] tacacs+ an nexus 5010

Lincoln Dale ltd at cisco.com
Wed Jul 1 04:23:12 EDT 2009 

Cisco Nexus platforms make a distinction between out-of-band management 
access (mgmt0 interface) and inband management access.  the former is in 
a 'management' VRF while the latter is in the 'default' VRF.
make sure you've configured TACACS+ to match the appropriate VRF.


cheers,

lincoln.

 

Arne Larsen / Region Nordjylland wrote:
> No, it should be right. My problem is that if I do a tcpdump on the tacacs+ server I dont see anything from the nexus.
> It's like it doesn't leave the box at all.
>
> /Arne
>
> -----Oprindelig meddelelse-----
> Fra: chris at lavin-llc.com [mailto:chris at lavin-llc.com]
> Sendt: 30. juni 2009 23:34
> Til: cisco-nsp at puck.nether.net; Arne Larsen / Region Nordjylland
> Emne: Re: [c-nsp] tacacs+ an nexus 5010
>
> On Tue Jun 30 13:47 , Arne Larsen / Region Nordjylland  sent:
>
>   
>> Hi all.
>>
>> Can someone help me out here.
>> I'm having trouble getting tacacs+ to work an a nexus 5010.
>> When ever I'm trying to access the nexus the debug prints.:  Skipping
>> DEAD TACACS+ server 10.0.100.233 I can ping and telnet to the tac-server from the nexus. Am I missiing somthing in my config ??
>>
>> my conf.
>>
>> vrf context management
>>  ip name-server 10.2.4.63 10.2.4.64 10.2.4.65 ip host aasnxu1
>> 10.2.8.14 ip host helios 10.0.100.233 tacacs-server key 7 "xxxxxxxxx"
>> tacacs-server host 10.0.100.233
>> aaa group server tacacs+ REG_TAC
>>    server 10.0.100.233
>>    deadtime 5
>>    use-vrf management
>> aaa authentication login default group REG_TAC aaa authentication login
>> error-enable tacacs-server directed-request vrf context management
>>  ip route 0.0.0.0/0 10.2.8.1
>>
>>
>>
>> aasnxu1# sh tacacs-server
>> Global TACACS+ shared secret:********
>> timeout value:5
>> deadtime value:0
>> total number of servers:1
>>
>> following TACACS+ servers are configured:
>>        10.0.100.233:
>>                available on port:49
>>
>> following TACACS+ server groups are configured:
>>        group REG_TAC:
>>                server 10.0.100.233 on port 49
>>                deadtime is 5
>>                vrf is management
>>
>>     
>
> Is there a chance you have a mismatch TACACS key?
>
> -chris
>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>

More information about the cisco-nsp mailing list