AAA on ASA 8.2(1) issue

Answered Question
Sep 29th, 2009
User Badges:

I'm trying to set up AAA on a new ASA running 8.2(1) and I can't get the ACS (4.2(0) Build 124 Patch 6) and ASA keys to agree for TACACS+. I've done this before on a bunch of systems and it's always been a typo, but I've set both ends to a key of 'a' and it still doesn't work. I get this in the ASA logs:

4 Sep 29 2009 22:03:48 109027 [ TACACS ] Unable to decypher response message Server = x.y.z.a, User = blah

3 Sep 29 2009 22:03:48 109026 [ TACACS ] Invalid reply digest received; shared server key may be mismatched.


and on the ACS box I get:

09/29/2009 22:03:48 Authen failed .. default .. Key Mismatch .. .. .. b.c.d.e


The setting on both sides match up to what other working ASAs have. Is there something in 8.2(1) that changes something?


Thanks

Correct Answer by Jatin Katyal about 7 years 7 months ago

Hi,


As you are sure that key is correct on both the sides. I would like you to check this:


On the ACS > Go to Network Configuration > Select the Network Device Group (NDG) under which we have ASA added as AAA client.


Once we are in the Network Device Group take a look at the bottom of the page, you'll see an option which says "Edit Properties", click on that bottom,


Then make sure that we don't have anything configured for "Shared Secret", if we have something, remove it and make this field blank, and then press "Submit"


Then try to authenticate.


Any key defined in above section overrides the key defined on per device basis.


For more detail, please refer,


http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/netcfg.htm#wp342738


HTH


JK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Correct Answer
Jatin Katyal Wed, 09/30/2009 - 05:23
User Badges:
  • Cisco Employee,

Hi,


As you are sure that key is correct on both the sides. I would like you to check this:


On the ACS > Go to Network Configuration > Select the Network Device Group (NDG) under which we have ASA added as AAA client.


Once we are in the Network Device Group take a look at the bottom of the page, you'll see an option which says "Edit Properties", click on that bottom,


Then make sure that we don't have anything configured for "Shared Secret", if we have something, remove it and make this field blank, and then press "Submit"


Then try to authenticate.


Any key defined in above section overrides the key defined on per device basis.


For more detail, please refer,


http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/netcfg.htm#wp342738


HTH


JK

Actions

This Discussion