Troubleshooting Cisco Nexus TACACS+ Authentication With Cisco ISE
Troubleshooting Cisco Nexus TACACS+ Authentication With Cisco ISE
Problem:
Problem when configuring TACACS Services for Nexus 7k device and ISE as TACACS Service.
When attempting to configure any tacacs command, there is error message appeared:
Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=17(0x11)
Problem Verification:
1. Getting error "Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=
17(0x11)" every time we changes on the CLI
2. Cannot save the configuration to switch
Additional Information
Authorization configured with ISE and there were no fall-back configured on the non-
working switch (.253); however, we had another working switch (.252) which had the fall-
back configured for authorization.
Checked the ISE logs and authorization was succeeding.
Troubleshooting Process
1. Perform several show command to switch to check the RAID status info on switches
2. Backup all VDC's config via tftp
3. Reload switches
Detailed Solution
1. Perform several show command to switch
N7k2-DS_02# show system internal raid | grep -A 1 "Current RAID status
info"
Current RAID status info:
RAID data from CMOS = 0xa5 0xc3
N7k2-DS_02#
Resolution:
Copy the running config to a FTP or USB. Please take backup from all the VDC’s and
then reload the chassis. Scenario matches Scenario B:
http://www.cisco.com/c/en/us/support/docs/switches/nexus-7000-series-
switches/200540-Nexus-7000-Supervisor-2-2E-Compact-Flash.html#anc8
2. TAC suggested to reload switch as workaround and upgrade OS to 6.2.16 which is
recommended.
3. Backup all configuration on all VDC of the switches, including show vlan brief and show
run to tftp server:
N7k2-CS_02# copy run tftp:
Enter destination filename: [N7k2-CS_02-running-config]
Enter vrf (If no input, current vrf 'default' is considered):
Notes:
There is a chance that all config on all VDC erased, so it's a best practice to save all VDC
config into tftp server
Follow Up