[c-nsp] SXI, TACACS+ in VRF
Daniska, Tomas
tomas at soitron.com
Wed Sep 2 11:07:15 EDT 2009
I've managed to work it around in lab by creating a leaked route to the
TAC+ server in the GRT via the management interface. Funny enough, the
switch does not mind sending its packets out GRT and receiving via VRF.
I'll request a ddts tomorrow.
--
deejay
> -----Original Message-----
> From: Arne Larsen / Region Nordjylland [mailto:arla at rn.dk]
> Sent: Wednesday, September 02, 2009 4:05 PM
> To: Daniska, Tomas; cisco-nsp at puck.nether.net
> Subject: SV: SXI, TACACS+ in VRF
>
> I've got a similar problem with Nexus 5000.
>
> /Arne
>
> ________________________________________
> Fra: cisco-nsp-bounces at puck.nether.net [cisco-nsp-
> bounces at puck.nether.net] På vegne af Daniska, Tomas
> [tomas at soitron.com]
> Sendt: 2. september 2009 14:20
> Til: cisco-nsp at puck.nether.net
> Emne: [c-nsp] SXI, TACACS+ in VRF
>
> Hi,
>
> anyone using TACACS+ authentication from VRF in SXI successfully? We
> have login authentication/authorization working, but for enable
> authentication the box somehow fails to connect to the TACACS+ server.
>
> !
> aaa group server tacacs+ XXX_tacacs
> server-private x.x.29.142 key ...
> ip vrf forwarding mgmt
> ip tacacs source-interface Loopback1
> !
> aaa authentication login XXX group XXX_tacacs local
> aaa authentication enable default group XXX_tacacs enable
> ...
> !
>
> ...
> Aug 28 17:00:37.285: AAA/AUTHOR: auth_need : user= 'user' ruser=
> 'BA_MN1_CO'rem_addr= 'x.x.251.101' priv= 0 list= '' AUTHOR-TYPE=
> 'command'
> Aug 28 17:00:37.285: AAA: parse name=tty2 idb type=-1 tty=-1
> Aug 28 17:00:37.285: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0
> adapter=0 port=2 channel=0
> Aug 28 17:00:37.285: AAA/MEMORY: create_user (0xF7E8CF8) user='user'
> ruser='NULL' ds0=0 port='tty2' rem_addr='x.x.251.101'
authen_type=ASCII
> service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
> Aug 28 17:00:37.285: AAA/AUTHEN/START (4278438600): port='tty2'
> list='XXX' action=LOGIN service=ENABLE
> Aug 28 17:00:37.285: AAA/AUTHEN/START (4278438600): using "default"
> list
> Aug 28 17:00:37.285: AAA/AUTHEN/START (4278438600): Method=XXX_tacacs
> (tacacs+)
> Aug 28 17:00:37.285: TAC+: send AUTHEN/START packet ver=192 id=-
> 16528696
> Aug 28 17:00:37.285: TAC+: Opening TCP/IP to x.x.29.142/49 timeout=5
> Aug 28 17:00:37.289: TAC+: TCP/IP open to x.x.29.142/49 failed --
> Destination unreachable; gateway or host down
> Aug 28 17:00:37.289: AAA/AUTHEN (4278438600): status = ERROR
> Aug 28 17:00:37.289: AAA/AUTHEN/START (4278438600): Method=ENABLE
> Aug 28 17:00:37.289: AAA/AUTHEN (4278438600): status = GETPASS
> Aug 28 17:00:45.021: AAA/AUTHEN/CONT (4278438600): continue_login
> (user='(undef)')
> Aug 28 17:00:45.021: AAA/AUTHEN (4278438600): status = GETPASS
> Aug 28 17:00:45.021: AAA/AUTHEN/CONT (4278438600): Method=ENABLE
> Aug 28 17:00:45.025: AAA/AUTHEN (4278438600): password incorrect
> Aug 28 17:00:45.025: AAA/AUTHEN (4278438600): status = FAIL
>
>
> thx
>
> --
>
> deejay
>
>
>
>
> __________ Informacia od ESET NOD32 Antivirus, verzia databazy 4388
> (20090902) __________
>
> Tuto spravu preveril ESET NOD32 Antivirus.
>
> http://www.eset.sk
>
> _______________________________________________
> cisco-nsp mailing list cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>
>
> __________ Informacia od ESET NOD32 Antivirus, verzia databazy 4389
> (20090902) __________
>
> Tuto spravu preveril ESET NOD32 Antivirus.
>
> http://www.eset.sk
>
__________ Informacia od ESET NOD32 Antivirus, verzia databazy 4389
(20090902) __________
Tuto spravu preveril ESET NOD32 Antivirus.
http://www.eset.sk
More information about the cisco-nsp
mailing list