Cisco N5K-C5010P-BF Troubleshooting Guide - Page 133
Unable to decode content of packets with Wireshark, Role assignment fails when user logs
UPC - 882658212208
View all Cisco N5K-C5010P-BF manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 133 highlights
Chapter 6 Troubleshooting Security Issues AAA Send document comments to [email protected]. Possible Cause AAA server is not accessable in network. Solution If the problem persists after correcting the VRF association and correcting the user-account credentials, then perform the following: • If the test aaa command returns the error, "error authenticating to server", the route to the server might be missing in the configuration. Use the ping command, if the AAA server is associated with the default VRF. If it is associated with VRF management, use the ping vrf management command. • If the message "No route to host" appears, then the static route to the server is not configured properly. Reconfigure the IP route in the corresponding VRF context. • Enter the ping command again. If the command is successful, then use the test aaa group command. • If the ping command is unsuccessful, then check the network connectivity, such as if the ARP entry of the nexthop router is displayed in the show ip arp [vrf management] command or if the ARP entry of the Nexus 5000 switch exists in the nexthop router's ARP table. Unable to decode content of packets with Wireshark AAA packets were captured from the network, but Wireshark was unable to decode the content of the packets. Possible Cause AAA packets are encrypted while the host key is enabled. Solution Perform the following steps to decode the content: • Use the no tacacs-server command to delete the TACACS server configuration. • Reconfigure the TACACS server without specifying any key. • Reconfigure the AAA client for the Nexus 5000 switch on the Network Configuration page in ACS while removing the host key. • Re-do the wire tapping. The captured packetsnow should not be encrypted and the data content should be decoded properly by Wireshark. • After the packet capturing, the administrator should revert to the host key configuration for better security. Role assignment fails when user logs in Role assignment fails when the user logs in. (From the perspective of the Nexus 5000 switch AAA.) Possible Cause Assuming that the ACS or TACACS+ and RADIUS has the Cisco av pair configured correctly, then the problem might be that the internal or local VRF assignment for the user login is not working correctly. Solution OL-25300-01 Cisco Nexus 5000 Series Troubleshooting Guide 6-5