[c-nsp] tacacs+ an nexus 5010

Greg Clark gregpclark at gmail.com
Wed Jul 1 17:28:01 EDT 2009


Arne,

   This config looks good I've run a similar config in  a production
environment and it worked.  The only thing I didn't see in your config
but I would assume is there is the correct ip address assigned to your
mgmt0 interface and the "feature tacacs+" command.



feature tacacs+

tacacs-server timeout 4
 tacacs-server host 10.0.100.233 key 7 "xxxxxxxxx"
 aaa group server tacacs+ access
     server 10.0.100.233
     use-vrf management

 tacacs-server directed-request
 vrf context management
   ip route 0.0.0.0/0 10.2.8.1

 interface mgmt0
   ip address 10.2.8.14

Also when you're performing your ping tests are you using the
management vrf? I believe the command is "ping 10.0.100.233 vrf
management"

Thanks,

Greg

On Wed, Jul 1, 2009 at 6:26 AM, Arne Larsen / Region
Nordjylland<arla at rn.dk> wrote:
> I guess, I can fid that command, I've seen in doc also. But the config points to mng vrf.
>
> aaa group server tacacs+ REG_TAC
>    server xxx.xxxx.xxx.xxx
>    deadtime 5
>    use-vrf management
>
> /Arne
>
> -----Oprindelig meddelelse-----
> Fra: Tom Lanyon [mailto:tom at netspot.com.au]
> Sendt: 1. juli 2009 10:09
> Til: Arne Larsen / Region Nordjylland
> Cc: cisco-nsp
> Emne: Re: [c-nsp] tacacs+ an nexus 5010
>
>>> No, it should be right. My problem is that if I do a tcpdump on the
>>> tacacs+ server I dont see anything from the nexus.
>>> It's like it doesn't leave the box at all.
>>
>> or is blocked elsewhere - check the network that the TACACS+ traffic
>> is being sent on and check ACLs etc that might be in the way on the
>> way to the server. check firewall on server to ensure such traffic is
>> allowed.  ping and telnet are okay but they wont test the actual
>> method used.
>
>
> ... and are you using the correct 'ip tacacs source-interface' to source the traffic?
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list