Ever configured a Nexus switch to use AAA to query a Tacacs+ server? Had some troubles applying standard IOS config to NX-OS?
Possibly if your Tacacs+ server is configured to only allow PAM (Password Authentication Manager) authentication for the users. See when a NX-OS switch sends a AAA authentication packet, by default it is encapsulated using PAP encoding. This is in contrast to normal IOS devices, that use PAM encoding by default.
To illustrate I used the following config:
ip tacacs source-interface mgmt0 tacacs-server host 10.5.0.82 key password ! aaa group server tacacs+ TAC server 10.5.0.82 use-vrf management source-interface mgmt0 ! aaa authentication login default group TAC aaa authorization config-commands default group TAC aaa authorization commands default group TAC aaa accounting default group TAC
For testing I setup 2 users:
- test1 – only has the default PAM hash and no PAP hash under the user account settings
- test2 – has the default PAM hash and a PAP hash enabled under the user account settings
To perform the authentication testing the following commands were used:
Nexus5k# test aaa server tacacs+ 10.5.0.82 vrf management test1 test2 user has failed authentication Nexus5k# test aaa server tacacs+ 10.5.0.82 vrf management test2 test2 user has been authenticated
Now by looking at the output of the ‘TACACS.LOG’ file, some interesting output can be observed.
[33084]: session.peerip is 10.5.0.196 [33096]: connect from 10.5.0.196 [10.5.0.196] [33097]: pap-login query for 'test1' 3000 from 10.5.0.196 rejected [33098]: login failure: test1 10.5.0.196 (10.5.0.196) 3000 [33182]: session.peerip is 10.5.0.196 [33187]: connect from 10.5.0.196 [10.5.0.196] [33188]: pap-login query for 'test2' 3000 from 10.5.0.196 accepted [33189]: Start authorization request
The query that arrives on the Tacacs+ server is a “pap-login” query. This would the reason why the authentication for test2 was accepted and test1 was rejected. A query from a IOS device looks different in that it is not a PAP query.
This was reported to Cisco TAC sometime ago. Cisco in response created the command “aaa authentication login ascii-authentication” which is available in NX-OS 5+ to allow this default behavior to be changed to match standard IOS implementations.
Nexus5k# conf t Enter configuration commands, one per line. End with CNTL/Z. Nexus5k(config)# aaa authentication login ascii-authentication Nexus5k(config)#
By looking at the output of the ‘TACACS.LOG’ file now, after testing again, the output looks as one would expect it to be :
[39131]: session.peerip is 10.5.0.196 [39132]: connect from 10.5.0.196 [10.5.0.196] [39133]: login query for 'test1' 3000 from 10.5.0.196 accepted [39134]: Start authorization request [39182]: session.peerip is 10.5.0.196 [39183]: connect from 10.5.0.196 [10.5.0.196] [39184]: login query for 'test2' 3000 from 10.5.0.196 accepted [39185]: Start authorization request
Just wanted to say THANKYOU! We were tearing our hair out wondering why our TACACS server was seeing PAP requests. CHAP obviously didn’t make anything better, but turning on the ASCII authentication now gives plain old “login”.
Thanks for posting this, was very handy to find.
I can also confirm this command works perfectly for Nexus 1000V.
Thanks man. I was pulling my hair out trying to figure out why my tacacs box was failing the userlogin!
Whoohoo. Damn nexus switches
Thank you buddy, with the article I am able to make NX-OS run with TAC_Plus
Thanks for posting this! Just as relevant in 2016.
Definitely still relevant, since it’s not actually in Cisco’s Tacacs+ documentation…
Not sure why they couldn’t make it work like the rest of the Cisco platforms. What a pain!
Epic! thank you. Fixed my issue deploying TACACS.net