Tac_Plus (open source TACACS+ server) and NAM (Network Analysis Module)

I am trying to setup our cisco NAM's to authenticate against our open source tac_plus server.  I see traffic on port 49 between the NAM and server but I keep on getting an invalid username/password error.  I do not see any invalid logon attemps in our tacacs log.
The tacacs server running and I am able to authenticate against it when I am logging onto our routers and switches.  I have created the following group for NAM authentication on the server ("namuser" is able to log onto our routers/switches):
group = nam {
cmd = web { permit capture
permit system
permit collection
permit account
permit alarm
permit view }
user = namuser {
member = nam
login = pam tac_plus

switch config
aaa new-model
aaa authentication username-prompt login:
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ enable
aaa authorization commands 15 default group tacacs+ local
tacacs-server host x.x.x.x
tacacs-server directed-request
tacacs-server key ********

Similar Messages

  • NAM(Network Analysis Module) Question

    I have NAM-2(3.3.1 with patch 3.3.1)
    I just installed NAM in Cat6509. and then monitiring.
    I had configured SPAN(both and rx) to redirect whole traffic from cat6500 to NAM.
    At this time, I didn't configure about Valns. Because, i know the the NAM(3.3.1 later) can gather whole valn in the Supervisor Engine whthout any configuration about Vlan.
    I tried to watch the status of Vlans in the NAM's webpage menu. But i only can see one vlan. i couldn't see rest of them.
    the web page told me "No data available".
    How can i see rest of vlans?
    Thank you...

    Have you enabled the collections for your span source under Setup->Monitor screen in the NAM Web GUI?

  • Network Analysis Module (NAM) port-adapter not collect data

    Hi,
    i have an issue for collect data on adapter 1, that don´t collect data but see that adapter 2 if collect data on module 4.
    monitor session 1 source vlan 102 rx
    monitor session 1 destination analysis-module 4 data-port 1
    monitor session 2 source vlan 106 rx
    monitor session 2 destination analysis-module 4 data-port 2
    I reconfigured newly monitor and continues with that issue. Always ok by data-port 2.
    - show version Cisco 6513
    Cisco IOS Software, s72033_rp Software (s72033_rp-ADVENTERPRISEK9_WAN-M), Version 12.2(33)SXH7, RELEASE SOFTWARE (fc3)
    . show version NAM
    NAM application image version: 3.5(1b)
    - sh module
    Ports Card Type                              Model           
    8  Network Analysis Module                WS-SVC-NAM-2
    Hw    Fw           Sw           Status
       2.0   7.2(1)       3.5(1b)      Ok
    Any idea or cuestion?

    Hi,
    I see web GUI that is active 2 monitor session with Destination Module 4.
    Active SPAN Sessions
    Monitor Session
    Type
    Source - Direction
    Dest. Port
    Dest. Module
    Status     
    1
    vlan
    (106) - Rx
    4/7
    4 (local)
    active
    2
    vlan
    (102) - Rx
    4/8
    4 (local)
    active
    Select a SPAN session, then take an action
    Create
    Save
    Add Dest. Port 1
    Add Dest. Port 2
    Edit
    Delete
    But don´t see data about DATA PORT 1, but if see data about DATA PORT 2
    Data Source:
    Most Active Applications (bytes/sec)         No data available
    Most Active Hosts (output bytes/sec)Total hosts      90 (Network)   No data available
    Protocol Suites No data available
    Server Response Times (msec)          No data available
    Any ideas?

  • Network Analysis Module - Capture File Download

    Hello,
    we have
    NAM Moduels Network Analysis Module 3 WS-SVC-NAM-3-K9
    installed in
    6506-E
    software version 6.0
    We have generated some Capture files, that we now would like to Download at once. Not by clicking each file and make a single download.
    There are some 2000 files, thats why :-)
    Does anyone have an idea how to do that? Is there any direct access to the internal Hard Drive? I could not find anything in CLI or GUI Guides.
    Thanks

    I attached a file with the 6509 config, sh snmp user and sh snmp result.
    When I go to :
    Setup > Managed Device > Device Information
    I've got :
    Access to the managed device failed. This may be due to
          1. Incorrect managed device IP address.
          2. Incorrect managed SNMP community string.
          3. The managed device's SNMP access control list is enabled.
    If the managed device's IP address or community string is incorrect, please use the input
    fields below to set the correct IP address and SNMP read-write community string.
    Otherwise, check if your managed device's SNMP access control list is enabled
    and make sure that the NAM's IP address shown in the Test popup
    window is included in the access control list.
    I've got this result when I test SNMP connectivity on the 2220. I tested snmpv3 with authpriv, authnopriv, noauthnopriv.
    Test Connectivity :
    SNMP read from managed device:     Failed    
    SNMP write from managed device:     Failed
    So I was thinking at some small license requirement for SNMPv3 as no packet were transmitted from the 2220. Unlike in SNMPv1 where I could capture the management packet.

  • Linux VM server and VM network configuration

    Hi,
    I have a Oracle Linux 5 server with Oracle VM Server 2.2.1 software installed. I downloaded OEL5 x86 VM template and set it up using the netmask, DNS and default gateway of the VM server machine. Now I realize I cannot access the internet from inside this Virtual Machine. So I think the DNS and gateway is not correctly setup.
    Please note that I can ssh the VM from VM server.
    Can you please guide me as to what DNS and gateway I should use for configuring my VMs? Do I need to set up an IP alais with different DNS.
    My VM server ip is (some values changed) 99.44.95.115, DNS 213.133.98.98, Def gateway 99.44.95.97 , netmask 255.255.255.224
    So for my first VM I am using ip 99.44.95.98, DNS 213.133.98.98, Def gateway 99.44.95.97 , netmask 255.255.255.224
    Am I doing anything wrong. I am completely new to Linux and networking. So I am still learning.
    Just a general idea would take me a long way.
    Regards
    CP

    Netmasks are used to identify which portion of an IP address represents the network address and which portion represents the machine address. It affects your broadcast address and defines the range of addresses that you can communicate directly without the need of an IP gateway. You do not need an IP gateway to communicate with other hosts on the same subnet because they should be physically connected and hence receive each others broadcast in order to know how to translate IP to a machine address.
    There are a couple of easy troubleshooting techniques. Like I mentioned in my previous post you can use the ping utility to check your IP communication. Open a terminal window and type e.g.: "ping 99.44.95.97". But make sure you do not have a firewall that block the ICMP protocol that the ping utility uses.
    a) check if you can ping other machines on the same network.
    You should be able to ping other hosts on the same subnet. If not, then you most likely have a problem with your IP configuration or network driver (hardware). Can you ping your own host? Is the network up?
    b) check if you can ping the gateway.
    If you cannot ping the gateway but a) works, then your IP gateway address is wrong or down.
    c) check if you can ping the DNS.
    Provided that a) and b) works, and you cannot ping the DNS server, then either the DNS address is wrong or down, or the IP gateway is not configured properly.
    Please check the above in order to isolate the problem. The link to the Oracle documentation in the one of the previous replies will let you verify the vm.cfg file to check if you have configured bridged networking (default).
    Posts about the same issue in different forums are usually not welcome here and the forum moderator might lock the thread. If you already have a thread I suggest you provide the link here in order for us to see what has already been done and make a note in the the old thread to continue here.

  • JPG file opens fine on server and fine in Google Chrome but Upside Down in IE11

    We have a jpg file that is on a server. When you link directly to the file so that there is no HTML or CSS code, it opens fine in Google Chrome but IE is flipping it upside down.  I have access to the server itself, the computer with the jpg file on
    it, and when I open it in file explorer (not internet explorer) it opens in the default picture view program just fine.  The picture was taken with an iPhone.  Is there a way to disable this unwanted picture flipping in IE?

    In Windows try right clicking on an iPhone photo and selecting Properties -> Details Tab.
    Scroll through the list of EXIF metadata.
    Now open the same photo in a decent EXIF viewer and see how much extra EXIF metadata is presented.
    The image below highlights one piece of metadata not exposed by Windows - orientation.
    To avoid problems try deleting all but the most basic metadata. See for example
    http://www.makeuseof.com/tag/3-ways-to-remove-exif-metadata-from-photos-and-why-you-might-want-to/

  • Install and configure Cisco Network Analysis Module NAM-2

    Hi,
    Does anyone have a step-by-step document on how to install and configure Cisco NAM-2 module ?
    Thanks in advance.
    Regards,
    Lamine

    Hi Lamine,
    The official installation guides for NAM software can be found here:
    http://www.cisco.com/en/US/products/sw/cscowork/ps5401/prod_installation_guides_list.html
    Is this what you are looking for?
    Cheers,
    Shane

  • Network Analysis Module (NAM) appliance 2220 version 5.0.1 and SNMPv3

    Hello,
    Is there some patch requirement for SNMPv3 on the NAM appliance ?
    I tried to do SNMPv1 on a 6509 with VSS it works fine and I could capture the packet of the SNMP request.
    If I tried to move to SNMPv3, the communication failed and there is no SNMP packets transmitted from the NAM.
    I was wondering if there is a patch requirement for the SNMPv3 (as for SSL or HTTPS)  ?
    Kind regards
    Charles

    I attached a file with the 6509 config, sh snmp user and sh snmp result.
    When I go to :
    Setup > Managed Device > Device Information
    I've got :
    Access to the managed device failed. This may be due to
          1. Incorrect managed device IP address.
          2. Incorrect managed SNMP community string.
          3. The managed device's SNMP access control list is enabled.
    If the managed device's IP address or community string is incorrect, please use the input
    fields below to set the correct IP address and SNMP read-write community string.
    Otherwise, check if your managed device's SNMP access control list is enabled
    and make sure that the NAM's IP address shown in the Test popup
    window is included in the access control list.
    I've got this result when I test SNMP connectivity on the 2220. I tested snmpv3 with authpriv, authnopriv, noauthnopriv.
    Test Connectivity :
    SNMP read from managed device:     Failed    
    SNMP write from managed device:     Failed
    So I was thinking at some small license requirement for SNMPv3 as no packet were transmitted from the 2220. Unlike in SNMPv1 where I could capture the management packet.

  • My Apple TV suddenly stopped connecting to the server and the network.  All devices in my house work just fine. Habe tried unpluggin, reset all settings, and disconnecting wireless and reconnecting, nothing works.  Please help very frustrating

    Tried all troubleshooting; unplugged, reset all settings, disconnected and reconnected wireless
    The device woked fine for over a month until today
    All other devices in my home are working just fine
    very frustrating
    please help

    But my current sim card works just fine in my friends iphone 5...wouldnt the logic follow that the problem is with the device itself (the phone) and not the card?

  • Cisco Prime Network Analysis Module (NAM) 5.1

    Hi I have NAM-2 with software version 4.2 installed in my network and i am making very good use of these module for troublshooting,
    I can run multiple captures files at local disk simultaneously and i can decode real time any capture file which is running.
    I want to clarify following things,
    I upgraded one of my NAM2 from 4.2 to 5.1 but i see following differences,
    I cannnot do multiple captures at local disk simultaneously. it is not allowing me to create 2nd capture at localdisk while one is already running while in 4.2 version i can run multiple captures to local disk.
    Its mean if i have 40G local disk, it's mean, it become reserved for one capture untill i stop and save there,
    Also i cannot decode running capture file real time untill i stop.
    I would apprecite if someone can clarify, whether it was enhancement in NAM 5.1?
    Configuring Capture Sessions
    You can create up to ten capture sessions, and only one capture session per disk (local or external).
    http://www.cisco.com/en/US/docs/net_mgmt/network_analysis_module_software/5.0_1_T/user/guide/capting.html#wp1252570

    NAM 5.x removes the ability to perform multiple captures to a single local disk because that results in unreliable capture behavior (packets may or may not be dropped depending on whether the disk can keep up with the data rate).
    You should still be able to decode memory captures while running. For disk captures, the capture file must not be in use (i.e., for a multi-file capture, you can decode any file other than the one currently being written to).

  • Cisco Network Analysis Module (NAM) data monitoring port

    Hi, need some insight on this please.  Your comments are appreciated.
    My Cisco NAM 2220 comes with 10G data monitoring port, can I configure an IP address on this port for data monitoring?
    or this data port can only support monitirong span, rspan, ersapn, vacl only (not for IP routing) and needs to be functioning in a promiscuous mode only?
    Many thanks
    Joe

    Hi Lamine,
    The official installation guides for NAM software can be found here:
    http://www.cisco.com/en/US/products/sw/cscowork/ps5401/prod_installation_guides_list.html
    Is this what you are looking for?
    Cheers,
    Shane

  • Network Analysis Module SNMP Spoofing

    I had a question about the recent NAM
    vulnerability advisory for the Cat 6000,6500s. I am running OS v7.6(5).
    Do I have to worry?
    Thanks for your help.
    -B

    I hope the following link will guide you
    http://www.cisco.com/en/US/products/sw/custcosw/ps1973/products_feature_guide_chapter09186a00803b7ddb.html

  • How do I get connected to a server on my network via an IP address?  When I try to open in a URL and login as a registered user with proper login it errors out saying there was a problem with connecting to the server?

    I am new to Mac...How do I get connected to a server on my network via a hyper link IP address path?  When I try to open in a URL and login as a registered user with proper login it errors out saying there was a problem with connecting to the server?

    Some of the following is going to use some technical terms — this area is inherently somewhat technical. 
    If you don't understand some part of the following reply, please ask.
    Is this your own OS X Server system on your own network, or is this some other server within some larger organization? 
    You're posting this in the OS X Server forum, which is a software package that allows OS X systems to provide web-based and many other services; to become servers.
    If it's your OS X Server on your network, then the network and DNS configurations are suspect, or the server is somehow malfunctioning or misconfigured.   This is unfortunately fairly common, as some folks do try to avoid setting up DNS services.
    If it's a larger organization and somebody else is managing the server and the network, then you'll probably need to contact the IT folks for assistance; to learn the network setup and DNS requirements, and if there's a problem with the server itself.
    The basic web URL "hyper link IP address path" — without using DNS — usually looks something the following, where you'll need to replace 10.20.30.40 with the IP address of your server:
    http://10.20.30.40
    UptimeJeff has posted a URL that specifies the AFP file system; an OS X file share.  That's used if you're connecting to an Apple storage service somewhere on your network.  You might alternatively need to specify smb://10.20.30.40 or such, if it's a Windows file server.  (There can be additional requirements for connecting to Windows Server systems, too.)
    If there's local IT staff available here, please contact them for assistance.  If these are your own local systems and your own local OS X Server system, then some information on the server will be needed.  (If you're on a NAT'd network, you'll also need to get DNS services configured and working on your local OS X Server system and your network — you'll not be able to skip this step and reference ISP DNS servers here — or things can and usually will get weird.)

  • CSACS TACACS Server 5.0 Timeout and Latency

    Hi,
    I have successfully configured a new Linux based Cisco Secure ACS server (version is 5.0.0.21 and Internal build: B.2757) and integrated it with AD. Both the internal users and the AD users are authenticating ok and are successfully logged onto the end devices on privilege level 15. The issue that I am getting is that for some strange reason AD users are taking too long (approx 38 secs) to get authenticated/authorised etc. Infact this was causing authentication issues previously as the tacacs timeout on the end device was set too low and thus the TACACS server response was timing out. I rectified this by increasing the TACACS timeout to around 25 secs which then resulted in successful TACACS authentication/authorisation.
    The high response time is however very frustrating. We have an existing Windows based (4.2) TACACS server and when I point my end devices (routers, switches) to this old server it takes only a few seconds for authentication but with the new ACS server it takes close to 38 secs. I am suspecting it might be to do with AD integration as the internal users on the new server are working fine. There are no latency or networking issues with the new server as the pings are looking ok.
    I have pasted my debug tacacs output obtained from the end device below. The first is with the new server (y.y.y.y) and the second is with the old (working) server (x.x.x.x) :
    New Server:
    4d09h: TAC+: send AUTHEN/START packet ver=192 id=64484812
    4d09h: TAC+: Using default tacacs server-group "tacacs+" list.
    4d09h: TAC+: Opening TCP/IP to y.y.y.y/49 timeout=25
    4d09h: TAC+: Opened TCP/IP handle 0x80CCF630 to y.y.y.y/49
    4d09h: TAC+: y.y.y.y (64484812) AUTHEN/START/LOGIN/ASCII queued
    4d09h: TAC+: (64484812) AUTHEN/START/LOGIN/ASCII processed
    4d09h: TAC+: ver=192 id=64484812 received AUTHEN status = GETUSER
    4d09h: TAC+: send AUTHEN/CONT packet id=64484812
    4d09h: TAC+: y.y.y.y (64484812) AUTHEN/CONT queued
    4d09h: TAC+: (64484812) AUTHEN/CONT processed
    4d09h: TAC+: ver=192 id=64484812 received AUTHEN status = GETPASS
    4d09h: TAC+: send AUTHEN/CONT packet id=64484812
    4d09h: TAC+: y.y.y.y (64484812) AUTHEN/CONT queued
    4d09h: TAC+: (64484812) AUTHEN/CONT processed
    4d09h: TAC+: ver=192 id=64484812 received AUTHEN status = PASS
    4d09h: TAC+: Closing TCP/IP 0x80CCF630 connection to y.y.y.y/49
    4d09h: TAC+: using previously set server y.y.y.y from group tacacs+
    4d09h: TAC+: Opening TCP/IP to y.y.y.y/49 timeout=25
    4d09h: TAC+: Opened TCP/IP handle 0x80CCFAC4 to y.y.y.y/49
    4d09h: TAC+: Opened y.y.y.y index=1
    4d09h: TAC+: y.y.y.y (1028597070) AUTHOR/START queued
    4d09h: TAC+: (1028597070) AUTHOR/START processed
    4d09h: TAC+: (1028597070): received author response status = PASS_ADD
    4d09h: TAC+: Closing TCP/IP 0x80CCFAC4 connection to y.y.y.y/49
    4d09h: TAC+: Received Attribute "priv-lvl=15"
    jontest#
    Old (Working) Server:
    4d09h: TAC+: send AUTHEN/START packet ver=192 id=1150277789
    4d09h: TAC+: Using default tacacs server-group "tacacs+" list.
    4d09h: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=25
    4d09h: TAC+: Opened TCP/IP handle 0x80CD10D4 to x.x.x.x/49
    4d09h: TAC+: x.x.x.x (1150277789) AUTHEN/START/LOGIN/ASCII queued
    4d09h: TAC+: (1150277789) AUTHEN/START/LOGIN/ASCII processed
    4d09h: TAC+: ver=192 id=1150277789 received AUTHEN status = GETUSER
    4d09h: TAC+: send AUTHEN/CONT packet id=1150277789
    4d09h: TAC+: x.x.x.x (1150277789) AUTHEN/CONT queued
    4d09h: TAC+: (1150277789) AUTHEN/CONT processed
    4d09h: TAC+: ver=192 id=1150277789 received AUTHEN status = GETPASS
    4d09h: TAC+: send AUTHEN/CONT packet id=1150277789
    4d09h: TAC+: x.x.x.x (1150277789) AUTHEN/CONT queued
    4d09h: TAC+: (1150277789) AUTHEN/CONT processed
    4d09h: TAC+: ver=192 id=1150277789 received AUTHEN status = PASS
    4d09h: TAC+: Closing TCP/IP 0x80CD10D4 connection to x.x.x.x/49
    4d09h: TAC+: using previously set server x.x.x.x from group tacacs+
    4d09h: TAC+: Opening TCP/IP to x.x.x.x/49 timeout=25
    4d09h: TAC+: Opened TCP/IP handle 0x80CD1568 to x.x.x.x/49
    4d09h: TAC+: Opened x.x.x.x index=1
    4d09h: TAC+: x.x.x.x (551069827) AUTHOR/START queued
    4d09h: TAC+: (551069827) AUTHOR/START processed
    4d09h: TAC+: (551069827): received author response status = PASS_ADD
    4d09h: TAC+: Closing TCP/IP 0x80CD1568 connection to x.x.x.x/49
    4d09h: TAC+: Received Attribute "priv-lvl=15"
    Any suggestions would be much appreciated.

    Richard, Kashif,
    1) 10.2.100.100 is a dummy IP to be sure we have a correct test scenario :
    tacacs-server host 10.2.100.100
    tacacs-server host 10.2.17.203
    2) We have defined 2 testswitches with this config :
    C3560 (12.2(53))
    C3750 (12.2(55))
    with our 3560, it hits the timeout counter of 5s of the dead tacacs server, once logged in, all other tacacs commands are treated by 10.2.17.203
    Failed connect attemps raises by 1
    with our 3750, with each tacacs command, it hits the timeout counter of 5s of the dead tacacs server everytime, before going to the 10.2.17.203, so all commands are executed but each time with a timeout delay of 5s.
    Failed connect attemps raises by number of tacacs commands typed
    Many thanks,
    Lieven Stubbe
    Belgian Railways

  • Hardcode and open source

    technically, what does hardcode and open source mean?
    And, jasper reports and ireports, they are used for report generation in java ryt? is report generation a separate process? or is it embedded in a java app?

    Duplicate thread.

Maybe you are looking for

  • How to reproduce Building Blocks Synth apple loop

    hi, a very specific question that you cant answer unless you listen to sample in question -  a sample in LPX apple loops called Building Blocks Synth. There is a bass line and a recurring synth chord which closes out every time it appears I  think wi

  • Restrict changes in payment terms

    Hi All, We have a requirement where in we have to restrict certain users from changing the sales order payment terms. This process has to be SOX compliant also. This requirement is for a certain sales org. What are all the various ways of achieving t

  • Issue in Delivery Events

    Hi Experts, I am facing an issue in events of delivery. We maintain connection point/reason code for an event of a delivery. If we open that delivery using vl03n, we can see the connection point/reason code maintained. But if we open that delivery fr

  • Combine the output and make the sum by article

    In our company we have a lot of small orders (the customer orders every day the same articles) -> we make just one bill at the end of the month. Most customers don't wont the detail (to much paper) and therefore we have for the bill the possibility t

  • Using BAPI - /AFS/BAPI_MATERIAL_SAVEDATA

    Hi,     Here is what I am looking for, using BAPI (/AFS/BAPI_MATERIAL_SAVEDATA). Based on some conditions i need to clear all the related entries in MEAN table and need to clear UPC (EAN11) and EAN Type (EANTP) from MARA table. To achieve this using