Nexus defaults to PAP authenticationMarch 22, 2011
Ever configured a Nexus switch to use AAA to query a Tacacs+ server? Had some troubles applying standard IOS config to NX-OS?
Possibly if your Tacacs+ server is configured to only allow PAM (Password Authentication Manager) authentication for the users. See when a NX-OS switch sends a AAA authentication packet, by default it is encapsulated using PAP encoding. This is in contrast to normal IOS devices, that use PAM encoding by default.
To illustrate I used the following config:
ip tacacs source-interface mgmt0 tacacs-server host 10.5.0.82 key password ! aaa group server tacacs+ TAC server 10.5.0.82 use-vrf management source-interface mgmt0 ! aaa authentication login default group TAC aaa authorization config-commands default group TAC aaa authorization commands default group TAC aaa accounting default group TAC
For testing I setup 2 users:
- test1 – only has the default PAM hash and no PAP hash under the user account settings
- test2 – has the default PAM hash and a PAP hash enabled under the user account settings
To perform the authentication testing the following commands were used:
Nexus5k# test aaa server tacacs+ 10.5.0.82 vrf management test1 test2 user has failed authentication Nexus5k# test aaa server tacacs+ 10.5.0.82 vrf management test2 test2 user has been authenticated
Now by looking at the output of the ‘TACACS.LOG’ file, some interesting output can be observed.
: session.peerip is 10.5.0.196 : connect from 10.5.0.196 [10.5.0.196] : pap-login query for 'test1' 3000 from 10.5.0.196 rejected : login failure: test1 10.5.0.196 (10.5.0.196) 3000 : session.peerip is 10.5.0.196 : connect from 10.5.0.196 [10.5.0.196] : pap-login query for 'test2' 3000 from 10.5.0.196 accepted : Start authorization request
The query that arrives on the Tacacs+ server is a “pap-login” query. This would the reason why the authentication for test2 was accepted and test1 was rejected. A query from a IOS device looks different in that it is not a PAP query.
This was reported to Cisco TAC sometime ago. Cisco in response created the command “aaa authentication login ascii-authentication” which is available in NX-OS 5+ to allow this default behavior to be changed to match standard IOS implementations.
Nexus5k# conf t Enter configuration commands, one per line. End with CNTL/Z. Nexus5k(config)# aaa authentication login ascii-authentication Nexus5k(config)#
By looking at the output of the ‘TACACS.LOG’ file now, after testing again, the output looks as one would expect it to be :
: session.peerip is 10.5.0.196 : connect from 10.5.0.196 [10.5.0.196] : login query for 'test1' 3000 from 10.5.0.196 accepted : Start authorization request : session.peerip is 10.5.0.196 : connect from 10.5.0.196 [10.5.0.196] : login query for 'test2' 3000 from 10.5.0.196 accepted : Start authorization request