ACE ACS TACACS+ Key Mismatch issue

Unanswered Question
Sep 14th, 2009


I have an issue when trying to setup ACE Modules for TACACS+ and AAA autentication whereby the Failed Authentication reports, state the reason as "Key Mismath".

We have confirmed that the key we are using is the same on the ACE and on the ACS.

The question I have is as follows:

Should the key we enter on the ACE remain as we have typed it, so if we enter mysharedkey as the key should this show as such in the running config or should it show as encrypted? Currently it shows in the running as we have entered it but just adds the 7 before the key and places the key in inverted commas.

So config entered something like this:

tacacs-server host key mysharedkey

aaa group server tacacs+ acs_pri


aaa authentication login default group acs_pri local none

BTW, we are running version 2.1.4(a).

Thanks for any assitance with this.


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
huangedmc Tue, 09/15/2009 - 21:05

If you're doing SSH2, can you try the plain old telnet and see if it works?

Also make sure you have "ssh key rsa 1024 force" if doing SSH2.

We had a very similar problem that was caused by a SSH/AAA bug w/ the ACE code. (dont have bugID handy, sorry)

What's strange is it doesn't work w/ SecureCRT, but works w/ Putty for SSH2, and works w/ all programs for telnet.

Lastly, show run shouldn't reveal the actual TACACS key, but something encrypted.

Paul Pinto Tue, 09/15/2009 - 22:24

Hi Kevin,

Thanks for the reply. I can confirm we have the "ssh key rsa 1024 force". I even tried removing and re-issueing the command.

On the point of the show run revealing the something encrypted instead of the actual TACACS key, this is not what we see, we see the actual key we entred.

This is my concern.

We managed to get his working by checking on the production ACE modules and production ACS, using the "encryped" key we see in that "show run" and locating the key in the production ACS config (which was not under the ACE NDG, but under the ACS server itself's config, which also looks like something encrypted) and using this in the NDG config as the key for our ACE NDG on the test ACS.

The problem arises that every six months or so, securiy requirement, the keys change, and how will we then know what to apply on the ACE if it does not apply the encyption of the key we enter itself.

See my problem...

Thanks again for the assistance and any further guidance would be appreciated.


ciscocsoc Wed, 09/16/2009 - 04:29

Hi Paul,

What happens if you explicity force the use of a plaintext key when configuring the ACE. If you use a command of the form:

tacacs-server host x.x.x.x key 0 mysharedkey

it should be taken and then displayed in the running configuration.

e.g. tacacs-server host key 0 wibble


tacacs-server host key 7 "zefgde"


Kind Regards


Paul Pinto Wed, 09/16/2009 - 04:38

Hi Cathy,

Thanks for the response.

So, if you don't explicitly specify the plaintext option for the key, it "gets confused" and doesn'y encrypt?

Will try, though I beleive we did. (tried so many things) and feedback.

Thanks again.



This Discussion