AAA auth with Cisco GSS

Unanswered Question
Oct 30th, 2007
User Badges:

Hi all

We are having problems with a GSS box here (ver 1.3) which we are trying to auth against ACS 4.1.

Have configured the following on the GSS

tacacs-server timeout 5

tacacs-server host xx.xx.xx.xx port 49 key blahblah

aaa authentication ssh local

config'd ACS with all the same parameters and using tac+

Now using a known working account in ACS (working against multiple other devices) I cannot log into the GSS box. ACS reports "ACS password invalid" when we know it isnt.

Have tcpdump'd the GSS and the tcp keepalives with ACS are good and reports the box as alive

Any ideas???

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
didyap Mon, 11/05/2007 - 09:52
User Badges:
  • Silver, 250 points or more

Does this happen with all the usernames or with a single one. If this happens with a single one then probably the same username is configured with two passwords. Use a different username/password combination to check this. If this happens with all usernames then reinstall ACS and try again.

james.robertson... Mon, 11/05/2007 - 14:43
User Badges:


Yes this happens with all usernames both ACS internal and external DB accounts for the GSS.

This error is for the GSS only and the other myriad of devices work OK so a reinstall isnt going to fix this


lanstreamer Mon, 11/19/2007 - 01:20
User Badges:

Hi - I've just been testing this myself with GSS versions 2.0(2) and 1.3(2).

1.3(2) just doesn't work! I've enabled 'full' service logging on the ACS side and examined the resulting tcs.log. When 1.3(2) tries to authenticate, it seems to be padding the password. I get messages like USER_MSG_LEN=d (0xd), USER_DATA_LEN=13 (0x0) FLAGS=0x0.

However, when I log in through a working TACACS client, the USER_DATA_LEN field has a length equal to the actual password length.

Hope this helps!

Testing on 2.0(2) gets past the initial authentication but I can't manage to get authorized properly yet.

I'm getting


Authorization failed. Admin privilege required.

I've got priv-lvl set to 15 already so I don't see what the problem might be.


This Discussion