Nexus defaults to PAP authentication

Ever configured a Nexus switch to use AAA to query a Tacacs+ server? Had some troubles applying standard IOS config to NX-OS?

Possibly if your Tacacs+ server is configured to only allow PAM (Password Authentication Manager) authentication for the users. See when a NX-OS switch sends a AAA authentication packet, by default it is encapsulated using PAP encoding. This is in contrast to normal IOS devices, that use PAM encoding by default.

To illustrate I used the following config:

ip tacacs source-interface mgmt0
tacacs-server host 10.5.0.82 key password
!
aaa group server tacacs+ TAC
server 10.5.0.82
use-vrf management
source-interface mgmt0
!
aaa authentication login default group TAC
aaa authorization config-commands default group TAC
aaa authorization commands default group TAC
aaa accounting default group TAC

For testing I setup 2 users:

  • test1 – only has the default PAM hash and no PAP hash under the user account settings
  • test2 – has the default PAM hash and a PAP hash enabled under the user account settings

To perform the authentication testing the following commands were used:

Nexus5k# test aaa server tacacs+ 10.5.0.82 vrf management test1 test2
user has failed authentication
Nexus5k# test aaa server tacacs+ 10.5.0.82 vrf management test2 test2
user has been authenticated

Now by looking at the output of the ‘TACACS.LOG’ file, some interesting output can be observed.

[33084]: session.peerip is 10.5.0.196
[33096]: connect from 10.5.0.196 [10.5.0.196]
[33097]: pap-login query for 'test1' 3000 from 10.5.0.196 rejected
[33098]: login failure: test1 10.5.0.196 (10.5.0.196) 3000

[33182]: session.peerip is 10.5.0.196
[33187]: connect from 10.5.0.196 [10.5.0.196]
[33188]: pap-login query for 'test2' 3000 from 10.5.0.196 accepted
[33189]: Start authorization request

The query that arrives on the Tacacs+ server is a “pap-login” query. This would the reason why the authentication for test2 was accepted and test1 was rejected. A query from a IOS device looks different in that it is not a PAP query.

This was reported to Cisco TAC sometime ago. Cisco in response created the command “aaa authentication login ascii-authentication” which is available in NX-OS 5+ to allow this default behavior to be changed to match standard IOS implementations.

Nexus5k# conf t
Enter configuration commands, one per line.  End with CNTL/Z.
Nexus5k(config)# aaa authentication login ascii-authentication
Nexus5k(config)#

By looking at the output of the ‘TACACS.LOG’ file now, after testing again, the output looks as one would expect it to be :

[39131]: session.peerip is 10.5.0.196
[39132]: connect from 10.5.0.196 [10.5.0.196]
[39133]: login query for 'test1' 3000 from 10.5.0.196 accepted
[39134]: Start authorization request

[39182]: session.peerip is 10.5.0.196
[39183]: connect from 10.5.0.196 [10.5.0.196]
[39184]: login query for 'test2' 3000 from 10.5.0.196 accepted
[39185]: Start authorization request
Advertisements

7 thoughts on “Nexus defaults to PAP authentication

  1. Just wanted to say THANKYOU! We were tearing our hair out wondering why our TACACS server was seeing PAP requests. CHAP obviously didn’t make anything better, but turning on the ASCII authentication now gives plain old “login”.

  2. Thanks for posting this, was very handy to find.
    I can also confirm this command works perfectly for Nexus 1000V.

  3. Thank you buddy, with the article I am able to make NX-OS run with TAC_Plus

    1. Definitely still relevant, since it’s not actually in Cisco’s Tacacs+ documentation…

      Not sure why they couldn’t make it work like the rest of the Cisco platforms. What a pain!

Please leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s