Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1997
Views
8
Helpful
2
Replies

ANM 4.1 & TACACS+

bmcginn
Level 3
Level 3

‎09-29-2010 12:52 AM

Hi All,

I've just put ANM4.1 into the environment here.

I'm trying to get the ANM to authenticate users via ACS.  so far no luck.

I've followed the instructions in this document to the letter (http://www.cisco.com/en/US/docs/app_ntwk_services/data_center_app_services/application_networking_manager/4.1/user/guide/UG_admin.html#wpmkr1276820)

In short, I have done the following on the ANM:

-     created an organisation with TACACS+ as the authentication method

-     created a domain which contains the failover pair of contexts I'm interested in

-     created a role (very similar to the Server-AppIn-Maintenance role)

-     created a user and assigned that user to the new role and the new domain

On the ACS box:

-     created a network group

-     created a username (the same user that I created on the ANM)

When logging into the ANM with that user I'm getting the 'Invalid username or password.  Please try again.' message.  On closer inspection of the ACS logs I am getting key mismatches

29/09/201017:20:31Authen failed..Default Group..(Default)Key Mismatch

I know for a fact that the keys are the same.. Just to be sure though I changed them both (the one on the ACS and the one on the ANM) to the digit 1  still no go, I'm getting the same Key Mismatch failed login on the ACS box.

Has anyone come across this yet by any chance?  All of my searching around the Net has only produced a few things that tell me to ensure the keys are the same.. which they are.  I can only assume something is corrupting the key somewhere on the ANM.

The ANM is running on a RHEL 32bit server in a VM ESX environment.

Thanks for any help.

Brad

Labels:
0 Helpful
2 Replies 2

fadlouni
Level 1
Level 1

‎10-14-2010 12:58 PM

Hi Brad.

make sure you are using an ACS supported browser when configuring the key on ACS, i've seen before unsupported browsers submit junk as the password into ACS.

to verify if the tacacs+ key is really corrupted by ANM, get a packet capture of the tacacs+ packets. then using wireshark you can decrypt the tacacs packets after providing it with the tacacs+ pre-shared key in preferences-> protocols->tacacs+. if the decryption of the tacacs+ request succeeds and you see the tacacs+ attributes, then verify that the user password attribute is correct, then you know the pre-shared key and user password are correct and matching. otherwise the ANM is not encrypting properly.

Regards,

Fadi.

bmcginn
Level 3
Level 3
In response to fadlouni

‎10-14-2010 06:33 PM

Fadi,

Thats a good idea, I''ll give that a go shortly and let you know what happens.

Brad

0 Helpful
Customers Also Viewed These Support Documents