[c-nsp] tacacs+ an nexus 5010
Lincoln Dale
ltd at cisco.com
Wed Jul 1 04:23:12 EDT 2009
Cisco Nexus platforms make a distinction between out-of-band management
access (mgmt0 interface) and inband management access. the former is in
a 'management' VRF while the latter is in the 'default' VRF.
make sure you've configured TACACS+ to match the appropriate VRF.
cheers,
lincoln.
Arne Larsen / Region Nordjylland wrote:
> No, it should be right. My problem is that if I do a tcpdump on the tacacs+ server I dont see anything from the nexus.
> It's like it doesn't leave the box at all.
>
> /Arne
>
> -----Oprindelig meddelelse-----
> Fra: chris at lavin-llc.com [mailto:chris at lavin-llc.com]
> Sendt: 30. juni 2009 23:34
> Til: cisco-nsp at puck.nether.net; Arne Larsen / Region Nordjylland
> Emne: Re: [c-nsp] tacacs+ an nexus 5010
>
> On Tue Jun 30 13:47 , Arne Larsen / Region Nordjylland sent:
>
>
>> Hi all.
>>
>> Can someone help me out here.
>> I'm having trouble getting tacacs+ to work an a nexus 5010.
>> When ever I'm trying to access the nexus the debug prints.: Skipping
>> DEAD TACACS+ server 10.0.100.233 I can ping and telnet to the tac-server from the nexus. Am I missiing somthing in my config ??
>>
>> my conf.
>>
>> vrf context management
>> ip name-server 10.2.4.63 10.2.4.64 10.2.4.65 ip host aasnxu1
>> 10.2.8.14 ip host helios 10.0.100.233 tacacs-server key 7 "xxxxxxxxx"
>> tacacs-server host 10.0.100.233
>> aaa group server tacacs+ REG_TAC
>> server 10.0.100.233
>> deadtime 5
>> use-vrf management
>> aaa authentication login default group REG_TAC aaa authentication login
>> error-enable tacacs-server directed-request vrf context management
>> ip route 0.0.0.0/0 10.2.8.1
>>
>>
>>
>> aasnxu1# sh tacacs-server
>> Global TACACS+ shared secret:********
>> timeout value:5
>> deadtime value:0
>> total number of servers:1
>>
>> following TACACS+ servers are configured:
>> 10.0.100.233:
>> available on port:49
>>
>> following TACACS+ server groups are configured:
>> group REG_TAC:
>> server 10.0.100.233 on port 49
>> deadtime is 5
>> vrf is management
>>
>>
>
> Is there a chance you have a mismatch TACACS key?
>
> -chris
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
More information about the cisco-nsp
mailing list