ACS 4.2 TACACS+ Authen failed. Key Mismatch

Answered Question
Aug 12th, 2010
User Badges:

I've configured 10 layer 2 switches(C3750-ADVIPSERVICESK9-M), Version 12.2(40)SE), to use TACACS+. They're all using the same key, and are working fine.  I moved onto another 3750 switch located across a point-to-point circuit, a Cisco C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5. I entered the usual configuration, and then entered the key, and tried logging in as a  user, and get authentication failed. I checked the server, and see Key mismatch in the Reports and Activity, Failed Attempts.  I deleted the key, copied and pasted it from notepad, still doesn't work.  Deleted the switch from the Network Device Group in ACS, and then re-added it, pasted a new key, with no special characters. No go.

Here's what the config looks like.

aaa new-model
!
!
aaa authentication login default group tacacs+ enable
aaa authentication login NO_AAA local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated

ip tacacs source-interface FastEthernet0/0

tacacs-server host 10.1.1.1
tacacs-server key 0 itspassword
tacacs-server directed-request


Initially, the password was encrypted, so I changed it to clear text, by typing in the password without the 0, and with the 0.  Neither worked.  Also removed service password-encryption to see  if that would do anything.


I usually SSH to the router, so I changed it to accept telent.  That didn't work.  Changed it back to SSH, re-initialized the rsa keys, and changed it to use SSH2, that didn't work.

Here's  what I get from the logs


Aug 12 11:43:24: TAC+: send AUTHEN/START packet ver=192 id=97563278
Aug 12 11:43:24: TAC+: Using default tacacs server-group "tacacs+" list.
Aug 12 11:43:24: TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
Aug 12 11:43:24: TAC+: Opened TCP/IP handle 0x3663CA0 to 10.219.1.1/49 using source 10.2.2.254
Aug 12 11:43:24: TAC+: 10.1.1.1 (97563278) AUTHEN/START/LOGIN/ASCII queued
Aug 12 11:43:25: TAC+: (97563278) AUTHEN/START/LOGIN/ASCII processed
Aug 12 11:43:25: TAC+: received bad AUTHEN packet: length = 6, expected 80467
Aug 12 11:43:25: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).
Aug 12 11:43:25: TAC+: Closing TCP/IP 0x3663CA0 connection to 10.1.1.1/49
Aug 12 11:43:25: TAC+: Using default tacacs server-group "tacacs+" list.
Aug 12 11:43:37: TAC+: send AUTHEN/START packet ver=192 id=1015854339
Aug 12 11:43:37: TAC+: Using default tacacs server-group "tacacs+" list.
Aug 12 11:43:37: TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
Aug 12 11:43:37: TAC+: Opened TCP/IP handle 0x366AF24 to 10.1.1.1/49 using source 10.2.2.254
Aug 12 11:43:37: TAC+: 10.1.1.1 (1015854339) AUTHEN/START/LOGIN/ASCII queued
Aug 12 11:43:38: TAC+: (1015854339) AUTHEN/START/LOGIN/ASCII processed
Aug 12 11:43:38: TAC+: received bad AUTHEN packet: length = 6, expected 79092
Aug 12 11:43:38: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).
Aug 12 11:43:38: TAC+: Closing TCP/IP 0x366AF24 connection to 10.1.1.1/49
Aug 12 11:43:38: TAC+: Using default tacacs server-group "tacacs+" list.



I looked around on the forum for about 4 hours, trying all the other options that were given to others that had similar issue.  The last key I put in was 123456.  You can't fat finger that one.  The switch log is saying check the key, the firewall is configured to allow all traffic from the AAA client.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
mg_green2003 Wed, 08/18/2010 - 08:25
User Badges:

Julia,

Thanks for you attention to detail.  I breezed through all the layer 2 devices so fast, that I had forgot that there were 2 keys, one for the NDG, and one for the device.  I changed both, and I was able to login.  Thanks so much.  I feel my migrane going away!

Ahmad Samir Wed, 08/18/2010 - 01:12
User Badges:

Dear mg green2003


Try to add the key to the switch and the ACS again with making sure you don't have a space at the end of the key.


Thanks,

mg_green2003 Wed, 08/18/2010 - 08:10
User Badges:

Yeah, I've done that in the past, with the extra spaces.  I made sure to carefully type in the

password.  The last key I used was 123456.  No extra spaces at all.

Actions

This Discussion