[c-nsp] tacacs+ an nexus 5010

Arne Larsen / Region Nordjylland arla at rn.dk
Thu Jul 2 02:00:56 EDT 2009


Yes, I have no problem accessing the box via ssh or telnet and I can even connect to the tacacs+ server by doing a telnet from the mng vrf to the server on port 49

aasnxu1# telnet 10.0.100.233 49 vrf management
Trying 10.0.100.233...
Connected to 10.0.100.233.
Escape character is '^]'.

/Arne

-----Oprindelig meddelelse-----
Fra: cisco-nsp-bounces at puck.nether.net [mailto:cisco-nsp-bounces at puck.nether.net] På vegne af Greg Clark
Sendt: 1. juli 2009 23:28
Til: cisco-nsp at puck.nether.net
Emne: Re: [c-nsp] tacacs+ an nexus 5010

Arne,

   This config looks good I've run a similar config in  a production environment and it worked.  The only thing I didn't see in your config but I would assume is there is the correct ip address assigned to your mgmt0 interface and the "feature tacacs+" command.



feature tacacs+

tacacs-server timeout 4
 tacacs-server host 10.0.100.233 key 7 "xxxxxxxxx"
 aaa group server tacacs+ access
     server 10.0.100.233
     use-vrf management

 tacacs-server directed-request
 vrf context management
   ip route 0.0.0.0/0 10.2.8.1

 interface mgmt0
   ip address 10.2.8.14

Also when you're performing your ping tests are you using the management vrf? I believe the command is "ping 10.0.100.233 vrf management"

Thanks,

Greg

On Wed, Jul 1, 2009 at 6:26 AM, Arne Larsen / Region Nordjylland<arla at rn.dk> wrote:
> I guess, I can fid that command, I've seen in doc also. But the config points to mng vrf.
>
> aaa group server tacacs+ REG_TAC
>    server xxx.xxxx.xxx.xxx
>    deadtime 5
>    use-vrf management
>
> /Arne
>
> -----Oprindelig meddelelse-----
> Fra: Tom Lanyon [mailto:tom at netspot.com.au]
> Sendt: 1. juli 2009 10:09
> Til: Arne Larsen / Region Nordjylland
> Cc: cisco-nsp
> Emne: Re: [c-nsp] tacacs+ an nexus 5010
>
>>> No, it should be right. My problem is that if I do a tcpdump on the
>>> tacacs+ server I dont see anything from the nexus.
>>> It's like it doesn't leave the box at all.
>>
>> or is blocked elsewhere - check the network that the TACACS+ traffic
>> is being sent on and check ACLs etc that might be in the way on the
>> way to the server. check firewall on server to ensure such traffic is
>> allowed.  ping and telnet are okay but they wont test the actual
>> method used.
>
>
> ... and are you using the correct 'ip tacacs source-interface' to source the traffic?
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
_______________________________________________
cisco-nsp mailing list  cisco-nsp at puck.nether.net https://puck.nether.net/mailman/listinfo/cisco-nsp
archive at http://puck.nether.net/pipermail/cisco-nsp/


More information about the cisco-nsp mailing list