IP - Nexus TACACS+

Friday, April 07, 2017 4:44 PM

Problem:
Problem when configuring TACACS Services for Nexus 7k device and ISE as TACACS Service.

Already configured referring this document:

https://communities.cisco.com/docs/DOC-68195

When attempting to configure any tacacs command, there is error message appeared:
Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=17(0x11)

Problem Verification:
1. Getting error "Error: AAA authorization failed AAA_AUTHOR_STATUS_METHOD=
17(0x11)" every time we changes on the CLI
2. Cannot save the configuration to switch
Additional Information
Authorization configured with ISE and there were no fall-back configured on the non-
working switch (.253); however, we had another working switch (.252) which had the fall-
back configured for authorization.
Checked the ISE logs and authorization was succeeding.

Troubleshooting Process
1. Perform several show command to switch to check the RAID status info on switches
2. Backup all VDC's config via tftp
3. Reload switches

Detailed Solution
1. Perform several show command to switch
N7k2-DS_02# show system internal raid | grep -A 1 "Current RAID status
info"
Current RAID status info:
RAID data from CMOS = 0xa5 0xc3
N7k2-DS_02#

0xc3 tells that both primary and secondary had failed.

The only way to recover this situation is by backing up the configuration and reload
the whole chassis.

Resolution:
Copy the running config to a FTP or USB. Please take backup from all the VDC’s and
then reload the chassis. Scenario matches Scenario B:
http://www.cisco.com/c/en/us/support/docs/switches/nexus-7000-series-
switches/200540-Nexus-7000-Supervisor-2-2E-Compact-Flash.html#anc8
2. TAC suggested to reload switch as workaround and upgrade OS to 6.2.16 which is
recommended.
3. Backup all configuration on all VDC of the switches, including show vlan brief and show
run to tftp server:
N7k2-CS_02# copy run tftp:
Enter destination filename: [N7k2-CS_02-running-config]
Enter vrf (If no input, current vrf 'default' is considered):

Field Engineer Journal Page 1

 Enter vrf (If no input, current vrf 'default' is considered):
Enter hostname for the tftp server: 192.168.17.212
Trying to connect to tftp server......
Connection to Server Established.
TFTP put operation was
successful
Copy complete.
4. Reload the switches

Notes:
There is a chance that all config on all VDC erased, so it's a best practice to save all VDC
config into tftp server
Follow Up

Field Engineer Journal Page 2