Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7997
Views
0
Helpful
5
Replies

ACS 4.2 TACACS+ Authen failed. Key Mismatch

Go to solution
mg_green2003
Level 1
Level 1

‎08-12-2010 10:15 AM - edited ‎03-10-2019 05:19 PM

I've configured 10 layer 2 switches(C3750-ADVIPSERVICESK9-M), Version 12.2(40)SE), to use TACACS+. They're all using the same key, and are working fine.  I moved onto another 3750 switch located across a point-to-point circuit, a Cisco C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5. I entered the usual configuration, and then entered the key, and tried logging in as a  user, and get authentication failed. I checked the server, and see Key mismatch in the Reports and Activity, Failed Attempts.  I deleted the key, copied and pasted it from notepad, still doesn't work.  Deleted the switch from the Network Device Group in ACS, and then re-added it, pasted a new key, with no special characters. No go.

Here's what the config looks like.

aaa new-model
!
!
aaa authentication login default group tacacs+ enable
aaa authentication login NO_AAA local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated

ip tacacs source-interface FastEthernet0/0

tacacs-server host 10.1.1.1
tacacs-server key 0 itspassword
tacacs-server directed-request


Initially, the password was encrypted, so I changed it to clear text, by typing in the password without the 0, and with the 0.  Neither worked.  Also removed service password-encryption to see  if that would do anything.


I usually SSH to the router, so I changed it to accept telent.  That didn't work.  Changed it back to SSH, re-initialized the rsa keys, and changed it to use SSH2, that didn't work.

Here's  what I get from the logs


Aug 12 11:43:24: TAC+: send AUTHEN/START packet ver=192 id=97563278
Aug 12 11:43:24: TAC+: Using default tacacs server-group "tacacs+" list.
Aug 12 11:43:24: TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
Aug 12 11:43:24: TAC+: Opened TCP/IP handle 0x3663CA0 to 10.219.1.1/49 using source 10.2.2.254
Aug 12 11:43:24: TAC+: 10.1.1.1 (97563278) AUTHEN/START/LOGIN/ASCII queued
Aug 12 11:43:25: TAC+: (97563278) AUTHEN/START/LOGIN/ASCII processed
Aug 12 11:43:25: TAC+: received bad AUTHEN packet: length = 6, expected 80467
Aug 12 11:43:25: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).
Aug 12 11:43:25: TAC+: Closing TCP/IP 0x3663CA0 connection to 10.1.1.1/49
Aug 12 11:43:25: TAC+: Using default tacacs server-group "tacacs+" list.
Aug 12 11:43:37: TAC+: send AUTHEN/START packet ver=192 id=1015854339
Aug 12 11:43:37: TAC+: Using default tacacs server-group "tacacs+" list.
Aug 12 11:43:37: TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
Aug 12 11:43:37: TAC+: Opened TCP/IP handle 0x366AF24 to 10.1.1.1/49 using source 10.2.2.254
Aug 12 11:43:37: TAC+: 10.1.1.1 (1015854339) AUTHEN/START/LOGIN/ASCII queued
Aug 12 11:43:38: TAC+: (1015854339) AUTHEN/START/LOGIN/ASCII processed
Aug 12 11:43:38: TAC+: received bad AUTHEN packet: length = 6, expected 79092
Aug 12 11:43:38: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).
Aug 12 11:43:38: TAC+: Closing TCP/IP 0x366AF24 connection to 10.1.1.1/49
Aug 12 11:43:38: TAC+: Using default tacacs server-group "tacacs+" list.

I looked around on the forum for about 4 hours, trying all the other options that were given to others that had similar issue.  The last key I put in was 123456.  You can't fat finger that one.  The switch log is saying check the key, the firewall is configured to allow all traffic from the AAA client.

1 person had this problem
Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
j.kokorina
Level 1
Level 1

‎08-17-2010 06:52 AM

Hi mg green2003,

The group key (of the NDG where your switch belongs to) override the device key. Did you check that one?

greetz,

Julia

View solution in original post

0 Helpful
5 Replies 5

Go to solution
j.kokorina
Level 1
Level 1

‎08-17-2010 06:52 AM

Hi mg green2003,

The group key (of the NDG where your switch belongs to) override the device key. Did you check that one?

greetz,

Julia

0 Helpful

Go to solution
mg_green2003
Level 1
Level 1
In response to j.kokorina

‎08-18-2010 08:25 AM

Julia,

Thanks for you attention to detail.  I breezed through all the layer 2 devices so fast, that I had forgot that there were 2 keys, one for the NDG, and one for the device.  I changed both, and I was able to login.  Thanks so much.  I feel my migrane going away!

0 Helpful

Go to solution
j.kokorina
Level 1
Level 1
In response to mg_green2003

‎08-19-2010 02:14 AM

I'm glad it did help.

0 Helpful

Go to solution
Ahmad Samir
Level 1
Level 1

‎08-18-2010 01:12 AM

Dear mg green2003

Try to add the key to the switch and the ACS again with making sure you don't have a space at the end of the key.

Thanks,

0 Helpful

Go to solution
mg_green2003
Level 1
Level 1
In response to Ahmad Samir

‎08-18-2010 08:10 AM

Yeah, I've done that in the past, with the extra spaces.  I made sure to carefully type in the

password.  The last key I used was 123456.  No extra spaces at all.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents