1. Manuals
  2. Brands
  3. Cisco Manuals
  4. Switch
  5. N5K-M1600 - Expansion Module - 6 Ports
  6. Troubleshooting manual

Cisco N5K-M1600 - Expansion Module - 6 Ports Troubleshooting Manual page 134

Troubleshooting guide
Hide thumbs
Table of Contents

Advertisement

AAA
S e n d d o c u m e n t c o m m e n t s t o n e x u s 5 k - d o c f e e d b a c k @ c i s c o . c o m .
Perform the following steps for role assignment:
No command accounting logs on ACS server when TACACS+ accounting
enabled
When TACACS+ accounting is enabled, the command accounting logs on the ACS server are not found.
Possible Cause
The ACS server configuration is wrong or incomplete.
Solution
Perform the following steps:
PAP authentication does not work for RADIUS
PAP authentication works for TACACS+ but not for RADIUS.
Possible Cause
Starting with Release 4.2(1), NX-OS only supports ASCII (PAP) authentication for TACACS+.
Solution
In NX-OS, ASCII authentication is equivalent to PAP authentication. By default, both TACACS+ and
RADIUS use CHAP. You can switch to PAP authentication with the aaa authentication login
ascii-authentication command.
Cisco Nexus 5000 Series Troubleshooting Guide
6-6
Check which AAA group is being used for authentication with the show running-config aaa and
show aaa authentication commands.
For TACACS+, check the VRF association with the AAA group with the show tacacs-server
groups and show running-config tacacs+ commands.
For RADIUS, check the VRF association with the AAA group with the show radius-server groups
and show running-config radius commands.
If the above commands show that the association is correct, then use the debug tacacs+ all
command to enable the trace.
Log in the user again, and collect the debug trace.
The trace should contain information for further investigation (as shown in the example).
Example:
tacacs: process_aaa_tplus_request: Group t1 found. corresponding vrf is management
Use the no debug tacacs+ all command to turn off debug tracing on TACACS+.
In the ACS GUI in Network Configuration, go to the AAA Client Setup for any client. Check the
checkbox for Log Update/Watchdog Packets from this AAA Client. Click the Submit + Apply
button.
Verify CMD Accounting with the following menu path:
Reports and Activity > TACACS+ Administration
Open the Tacacs+Administration <active|DATE>.csv file and verify the cmd and timestamp on each
row of the file.
Chapter 6
Troubleshooting Security Issues
OL-25300-01
Show Quick Links

Hide quick links:

Advertisement

Table of Contents
loading

Related Manuals for Cisco N5K-M1600 - Expansion Module - 6 Ports

Related Products for Cisco N5K-M1600 - Expansion Module - 6 Ports

This manual is also suitable for:

N5k-pac-550w= - power supply - hot-plugN5k-c5010p-bf - nexus 5010 switchN5k-c5020p-bf - nexus 5020 switchNexus 5000 series

Table of Contents