08-12-2010 10:15 AM - edited 03-10-2019 05:19 PM
I've configured 10 layer 2 switches(C3750-ADVIPSERVICESK9-M), Version 12.2(40)SE), to use TACACS+. They're all using the same key, and are working fine. I moved onto another 3750 switch located across a point-to-point circuit, a Cisco C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5. I entered the usual configuration, and then entered the key, and tried logging in as a user, and get authentication failed. I checked the server, and see Key mismatch in the Reports and Activity, Failed Attempts. I deleted the key, copied and pasted it from notepad, still doesn't work. Deleted the switch from the Network Device Group in ACS, and then re-added it, pasted a new key, with no special characters. No go.
Here's what the config looks like.
aaa new-model
!
!
aaa authentication login default group tacacs+ enable
aaa authentication login NO_AAA local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
ip tacacs source-interface FastEthernet0/0
tacacs-server host 10.1.1.1
tacacs-server key 0 itspassword
tacacs-server directed-request
Initially, the password was encrypted, so I changed it to clear text, by typing in the password without the 0, and with the 0. Neither worked. Also removed service password-encryption to see if that would do anything.
I usually SSH to the router, so I changed it to accept telent. That didn't work. Changed it back to SSH, re-initialized the rsa keys, and changed it to use SSH2, that didn't work.
Here's what I get from the logs
Aug 12 11:43:24: TAC+: send AUTHEN/START packet ver=192 id=97563278
Aug 12 11:43:24: TAC+: Using default tacacs server-group "tacacs+" list.
Aug 12 11:43:24: TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
Aug 12 11:43:24: TAC+: Opened TCP/IP handle 0x3663CA0 to 10.219.1.1/49 using source 10.2.2.254
Aug 12 11:43:24: TAC+: 10.1.1.1 (97563278) AUTHEN/START/LOGIN/ASCII queued
Aug 12 11:43:25: TAC+: (97563278) AUTHEN/START/LOGIN/ASCII processed
Aug 12 11:43:25: TAC+: received bad AUTHEN packet: length = 6, expected 80467
Aug 12 11:43:25: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).
Aug 12 11:43:25: TAC+: Closing TCP/IP 0x3663CA0 connection to 10.1.1.1/49
Aug 12 11:43:25: TAC+: Using default tacacs server-group "tacacs+" list.
Aug 12 11:43:37: TAC+: send AUTHEN/START packet ver=192 id=1015854339
Aug 12 11:43:37: TAC+: Using default tacacs server-group "tacacs+" list.
Aug 12 11:43:37: TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
Aug 12 11:43:37: TAC+: Opened TCP/IP handle 0x366AF24 to 10.1.1.1/49 using source 10.2.2.254
Aug 12 11:43:37: TAC+: 10.1.1.1 (1015854339) AUTHEN/START/LOGIN/ASCII queued
Aug 12 11:43:38: TAC+: (1015854339) AUTHEN/START/LOGIN/ASCII processed
Aug 12 11:43:38: TAC+: received bad AUTHEN packet: length = 6, expected 79092
Aug 12 11:43:38: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).
Aug 12 11:43:38: TAC+: Closing TCP/IP 0x366AF24 connection to 10.1.1.1/49
Aug 12 11:43:38: TAC+: Using default tacacs server-group "tacacs+" list.
I looked around on the forum for about 4 hours, trying all the other options that were given to others that had similar issue. The last key I put in was 123456. You can't fat finger that one. The switch log is saying check the key, the firewall is configured to allow all traffic from the AAA client.
Solved! Go to Solution.
08-17-2010 06:52 AM
Hi mg green2003,
The group key (of the NDG where your switch belongs to) override the device key. Did you check that one?
greetz,
Julia
08-17-2010 06:52 AM
Hi mg green2003,
The group key (of the NDG where your switch belongs to) override the device key. Did you check that one?
greetz,
Julia
08-18-2010 08:25 AM
Julia,
Thanks for you attention to detail. I breezed through all the layer 2 devices so fast, that I had forgot that there were 2 keys, one for the NDG, and one for the device. I changed both, and I was able to login. Thanks so much. I feel my migrane going away!
08-19-2010 02:14 AM
I'm glad it did help.
08-18-2010 01:12 AM
Dear mg green2003
Try to add the key to the switch and the ACS again with making sure you don't have a space at the end of the key.
Thanks,
08-18-2010 08:10 AM
Yeah, I've done that in the past, with the extra spaces. I made sure to carefully type in the
password. The last key I used was 123456. No extra spaces at all.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide