ANM 4.1 & TACACS+

Unanswered Question
Sep 29th, 2010

Hi All,

I've just put ANM4.1 into the environment here.

I'm trying to get the ANM to authenticate users via ACS.  so far no luck.

I've followed the instructions in this document to the letter (http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/4.1/user/guide/UG_admin.html#wpmkr1276820)

In short, I have done the following on the ANM:

-     created an organisation with TACACS+ as the authentication method

-     created a domain which contains the failover pair of contexts I'm interested in

-     created a role (very similar to the Server-AppIn-Maintenance role)

-     created a user and assigned that user to the new role and the new domain

On the ACS box:

-     created a network group

-     created a username (the same user that I created on the ANM)

When logging into the ANM with that user I'm getting the 'Invalid username or password.  Please try again.' message.  On closer inspection of the ACS logs I am getting key mismatches

29/09/2010

17:20:31Authen failed..Default Group..(Default)Key Mismatch

I know for a fact that the keys are the same.. Just to be sure though I changed them both (the one on the ACS and the one on the ANM) to the digit 1  still no go, I'm getting the same Key Mismatch failed login on the ACS box.

Has anyone come across this yet by any chance?  All of my searching around the Net has only produced a few things that tell me to ensure the keys are the same.. which they are.  I can only assume something is corrupting the key somewhere on the ANM.

The ANM is running on a RHEL 32bit server in a VM ESX environment.

Thanks for any help.

Brad

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (2 ratings)
Loading.
fadlouni Thu, 10/14/2010 - 12:58

Hi Brad.

make sure you are using an ACS supported browser when configuring the key on ACS, i've seen before unsupported browsers submit junk as the password into ACS.

to verify if the tacacs+ key is really corrupted by ANM, get a packet capture of the tacacs+ packets. then using wireshark you can decrypt the tacacs packets after providing it with the tacacs+ pre-shared key in preferences-> protocols->tacacs+. if the decryption of the tacacs+ request succeeds and you see the tacacs+ attributes, then verify that the user password attribute is correct, then you know the pre-shared key and user password are correct and matching. otherwise the ANM is not encrypting properly.

Regards,

Fadi.

bmcginn Thu, 10/14/2010 - 18:33

Fadi,

Thats a good idea, I''ll give that a go shortly and let you know what happens.

Brad

Actions

This Discussion