1.0 Problem Statement

Network administrators implementing Terminal Access Controller Access-Control System Plus (TACACS+) on Cisco Nexus 9000 series switches, specifically models like the 9364C running NX-OS version 10.4(4) or later, may encounter a perplexing issue. After configuring the switch for TACACS+ authentication, authorization, and accounting (AAA), attempts to log in with a valid remote user account fail with a “Login incorrect” message.

This failure occurs despite the following indicators suggesting a correct configuration:

• The test aaa server tacacs+... command completes successfully for the user.
• Debug outputs (debug tacacs all, debug aaa all) show that the Nexus switch successfully communicates with the TACACS+ server.
• The TACACS+ server logs and switch debugs both indicate a successful authentication response (TACACS_PLUS_AUTHEN_STATUS_PASS) is sent back to the switch.

This document provides a detailed root cause analysis and a step-by-step solution to resolve this common integration challenge, which stems from the Role-Based Access Control (RBAC) model enforced by modern NX-OS versions.

2.0 Root Cause Analysis

The core of this issue lies not in the authentication process but in the authorization model expected by the Nexus switch. While older Cisco IOS and some earlier NX-OS versions primarily relied on a simple privilege level model (e.g., priv-lvl=15), modern NX-OS has fully embraced a more granular and secure RBAC architecture.

In this RBAC model, a successful authentication is only the first step. For a user session to be established, the switch must be able to map the authenticated user to a defined role on the device. This role dictates the user’s permissions and capabilities. When the TACACS+ server authenticates a user and responds with a simple “PASS” without providing role information, the Nexus switch finds itself in a state of ambiguity. It knows the user’s credentials are valid, but it doesn’t know what permissions to grant them.

Because the switch cannot assign a valid role to the user’s session, it considers the authorization phase to have failed. From the end-user’s perspective, this authorization failure manifests as a generic “Login incorrect” message, which is misleading as it suggests a problem with the username or password. The debugs confirm this discrepancy: authentication passes, but the login session is ultimately terminated.

The solution, therefore, requires configuring the TACACS+ server to send specific Attribute-Value (AV) pairs that explicitly assign a recognized role to the user upon successful login.

3.0 Solution Implementation

The resolution involves two main components: verifying the Nexus switch configuration and, most critically, correctly configuring the user profile on the TACACS+ server.

Step 1: Verify Nexus Switch Configuration

First, ensure the Nexus switch has a standard and correct AAA configuration. While this part of the configuration was likely correct in the initial problem, it is crucial to establish it as a valid baseline.

1. Enable the TACACS+ Feature:

   N9K-Switch(config)# feature tacacs+
   

2. Define TACACS+ Server(s):
   Configure the IP address and the shared secret key for each TACACS+ server. Use a strong, complex key.

   N9K-Switch(config)# tacacs-server host 192.168.1.10 key 7 <your-encrypted-key>
   N9K-Switch(config)# tacacs-server host 192.168.1.11 key 7 <your-encrypted-key>
   

3. Create an AAA Server Group:
   Group the servers for redundancy and simplified management.

   N9K-Switch(config)# aaa group server tacacs+ TAC_SERVERS
   N9K-Switch(config-tacacs+)# server 192.168.1.10
   N9K-Switch(config-tacacs+)# server 192.168.1.11
   N9K-Switch(config-tacacs+)# source-interface vlan10
   

   (Note: Specifying a source-interface is a best practice to ensure predictable source IP addressing for TACACS+ traffic).

4. Apply AAA Methods:
   Configure the switch to use the TACACS+ group for authentication, authorization, and accounting, with local database fallback.

   N9K-Switch(config)# aaa authentication login default group TAC_SERVERS local
   N9K-Switch(config)# aaa authorization config-commands default group TAC_SERVERS local
   N9K-Switch(config)# aaa accounting default group TAC_SERVERS local
   

This switch-side configuration is standard. The key to solving the problem lies in the next step.

Step 2: Configure TACACS+ Server for RBAC

This step must be performed on your TACACS+ server platform (e.g., Cisco ISE, FreeRADIUS, tac_plus, etc.). The objective is to instruct the server to return a specific cisco-av-pair attribute that maps the user to a built-in or custom role on the Nexus switch.

The most common and powerful built-in role is network-admin, which is equivalent to privilege level 15.

Configuration Requirement:

On the TACACS+ server, within the user’s profile or the group policy they belong to, you must add the following service/attribute:

• Attribute: cisco-av-pair
• Value: shell:roles="network-admin"

Example (Conceptual):

• In Cisco ISE: Navigate to the Policy Elements for TACACS+ Profiles. Create or edit a Shell Profile. Under the “Custom Attributes” tab, add a new attribute. Set the attribute to cisco-av-pair, and the value to shell:roles="network-admin". Assign this Shell Profile to your authorization policy rule.

• In a tac_plus.conf file (for tac_plus): The syntax within a user or group definition would look like this:

  user = myadmin {
      ...
      service = shell {
          set cisco-av-pair = "shell:roles=network-admin"
      }
  }
  

Explanation of the AV-Pair:

• cisco-av-pair: A standard mechanism for passing vendor-specific attributes.
• shell:roles: This is the specific key that NX-OS listens for to receive role information.
• "network-admin": This value assigns the user to the predefined network-admin role, granting them full administrative privileges on the switch. You can also use other predefined roles like network-operator for read-only access or custom-defined roles on the Nexus switch for more granular control.

Step 3: Verification

After applying the configuration changes on the TACACS+ server, you can verify the solution:

1. Attempt Login: Initiate an SSH or console session to the Nexus switch using the TACACS+ user credentials. The login should now succeed.

2. Check User Account Details: Once logged in, execute the show user-account command. The output will now display the user, their session details, and, most importantly, the role assigned to them via TACACS+.

   N9K-Switch# show user-account myadmin
   user: myadmin
   this user account is authenticated through tacacs+
   roles: network-admin
   ...
   

   The presence of roles: network-admin confirms that the authorization was successful and the RBAC mapping is working correctly.

4.0 Conclusion

The “Login incorrect” error on modern Nexus 9000 switches, despite successful TACACS+ authentication checks, is a direct result of the platform’s strict adherence to its RBAC security model. A successful login requires both valid credentials (authentication) and a clear assignment of permissions via a recognized role (authorization). By configuring the TACACS+ server to return the cisco-av-pair attribute shell:roles="<role_name>", administrators provide the necessary authorization context for NX-OS to establish a user session, thereby resolving the login failure. This configuration is mandatory for seamless TACACS+ integration with current and future NX-OS releases.