Cisco N5K-C5010P-BF Troubleshooting Guide - Page 134
No command accounting logs on ACS server when TACACS+ accounting enabled
![]() |
UPC - 882658212208
View all Cisco N5K-C5010P-BF manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 134 highlights
Chapter 6 Troubleshooting Security Issues AAA Send document comments to [email protected]. Perform the following steps for role assignment: • Check which AAA group is being used for authentication with the show running-config aaa and show aaa authentication commands. • For TACACS+, check the VRF association with the AAA group with the show tacacs-server groups and show running-config tacacs+ commands. • For RADIUS, check the VRF association with the AAA group with the show radius-server groups and show running-config radius commands. • If the above commands show that the association is correct, then use the debug tacacs+ all command to enable the trace. • Log in the user again, and collect the debug trace. The trace should contain information for further investigation (as shown in the example). Example: tacacs: process_aaa_tplus_request: Group t1 found. corresponding vrf is management • Use the no debug tacacs+ all command to turn off debug tracing on TACACS+. No command accounting logs on ACS server when TACACS+ accounting enabled When TACACS+ accounting is enabled, the command accounting logs on the ACS server are not found. Possible Cause The ACS server configuration is wrong or incomplete. Solution Perform the following steps: • In the ACS GUI in Network Configuration, go to the AAA Client Setup for any client. Check the checkbox for Log Update/Watchdog Packets from this AAA Client. Click the Submit + Apply button. • Verify CMD Accounting with the following menu path: Reports and Activity > TACACS+ Administration Open the Tacacs+Administration .csv file and verify the cmd and timestamp on each row of the file. PAP authentication does not work for RADIUS PAP authentication works for TACACS+ but not for RADIUS. Possible Cause Starting with Release 4.2(1), NX-OS only supports ASCII (PAP) authentication for TACACS+. Solution In NX-OS, ASCII authentication is equivalent to PAP authentication. By default, both TACACS+ and RADIUS use CHAP. You can switch to PAP authentication with the aaa authentication login ascii-authentication command. Cisco Nexus 5000 Series Troubleshooting Guide 6-6 OL-25300-01
![](/manual_guide/products/cisco-n5kc5020pbf-troubleshooting-guide-17dba74/134.png)