×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ACS config

Unanswered Question
Sep 14th, 2005
User Badges:

I have a pair of ACS Servers setup. I can setup my 3750's to authenticate to the servers, however I can't get my 6500's to. This is the output from my debugs.

001589: Sep 14 15:16:54: TAC+: Using default tacacs server-group "tacacs+" list.

001590: Sep 14 15:16:54: TAC+: Opening TCP/IP to 10.36.11.30/49 timeout=5

001591: Sep 14 15:16:54: TAC+: Opened TCP/IP handle 0x4525CEF8 to 10.36.11.30/49

001592: Sep 14 15:16:54: TAC+: 10.36.11.30 (1985811061) AUTHEN/START/LOGIN/ASCII queued

001593: Sep 14 15:16:54: TAC+: (1985811061) AUTHEN/START/LOGIN/ASCII processed

001594: Sep 14 15:16:54: TAC+: received bad AUTHEN packet: type = 0, expected 1

001595: Sep 14 15:16:54: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys)


I have checked the config several times. I belive it is correct. Any Idea? HELP!

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Richard Burts Thu, 09/15/2005 - 09:21
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Looking at the last error message I get the feeling that you need to check carefully to verify that you have configured the same key on both devices.

001595: Sep 14 15:16:54: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys)


I have received this error message before and it was in fact an issue with mismatched keys.


HTH


Rick

ppellettiere Thu, 09/15/2005 - 12:18
User Badges:

Rick,

I did check the keys and I reset them. I know they match. I do have 3750's running with the same setup, and they work.

Pete

Richard Burts Thu, 09/15/2005 - 18:03
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Pete


If you are sure that the key on the 6500 is the same as the key defined on the tacacs server for that device then we will look for other explanations.


Do the logs on 10.36.11.30 show the incoming request and how the server responded?


HTH


Rick

nkhwaja Thu, 12/08/2005 - 08:38
User Badges:

I have exactly the same problem with two 6509s with IOS 12.2(17d)SXB10. Were you able to resolve this ??



Richard Burts Sat, 12/10/2005 - 10:15
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

If you have the same problem, then I would ask you most of the same questions.

- would you verify that the key value used on the 6500 is exactly the same as the key value used in the authentication server?

- are there log messages on the authentication server? Does the server see the authentication request? and if it does see the request, how does the authentication server think that it responded?


HTH


Rick

ppellettiere Sun, 12/11/2005 - 06:41
User Badges:

All,

The problem was resolved by adding this command

"ip tacacs source-interface Loopback0"

Since I have many segments on the 6500 I had to specify the Loopback as the interface to use.


Sorry I didn't post this sooner.


PEte

Richard Burts Sun, 12/11/2005 - 13:26
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Pete


Thanks for posting back to the forum. I am glad to know that we were able to help. It is useful to know that an issue was resolved and what was done to solve the problem.


I believe that this is a fairly common potential problem when a router has more than one interface that could send the request to TACACS. Unless you do specify the source interface the router will default to using the IP of the outbound interface as the source address in the TACACS request. Since ACS/TACACS can specify only a single address for a requestor the router needs to use the same source address for every request. You found the optimum solution for this situation.


People reading this forum should pay attention to this potential problem and how to resolve it as Pete has discovered.


HTH


Rick

nkhwaja Mon, 12/12/2005 - 05:43
User Badges:

I substituted vlan1 in the command since theres no loopback0, and it doesnot work. Any clues?? Here is my complete tacacs config: Can you please post your tacacs config ?

aaa authentication login default group tacacs+ line enable none

aaa authentication login no_tacacs line none

aaa authorization exec default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting network default start-stop group tacacs+

aaa accounting connection default start-stop group tacacs+

ip tacacs source-interface Vlan1

tacacs-server host 10.177.x.x

tacacs-server timeout 20

tacacs-server directed-request

tacacs-server key 7 xxxxx


appreciate your help.

Richard Burts Mon, 12/12/2005 - 06:12
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I have looked at the part of the config that you posted and I do not see any obvious errors. I do notice the line that specifies:

aaa authentication login no_tacacs line none

and I wonder how you have applied the no_tacacs method of authentication.


I would suggest several things you can do to help troubleshoot this problem.

- you have specified that the switch MSFC use the IP address of VLAN 1 as the source address of its TACACS packets. Can you verify that the TACACS server is configured to process this device at that address?

- can you verify that the key defined on the switch MSFC matches the key defined on the TACACS server?

- can you verify IP connectivity between the switch MSFC and the TACACS server by doing an extended ping on the MSFC? In the extended ping specify the TACACS server as the destination and specify VLAN 1 as the source address.

- can you look in the logs on the TACACS server and verify whether the server sees the authentication request? And if it sees the authentication request how does it think that it responded? (This is perhaps the most crucial part of the troubleshooting procedure that I am suggesting).


If you can do these things we may be much closer to being able to identify the source of your problem.


HTH


Rick

nkhwaja Mon, 12/12/2005 - 06:46
User Badges:

to quote you: "Can you verify that the TACACS server is configured to process this device at that address?"

- How do i do that ?? I did not think I need such config. No other switch required such config.


- Key is correct, and is the same as in other switches where it works.


- tacacs server is reachable thru extended ping with source address of vlan1.

- tacacs server 'failed attempts log' has two lines for each attempt:


Bad request from NAS

Authen failed Key Mismatch



- Whats 'bad request' mean ??

- Debug messages point to invalid length of packets.

- the debug shows the messages same as posted in the first message of this conversation.

- This is only happening with my two 6509s that have IOS: s72033-pk9sv-mz.122-17d.SXB10


nkhwaja Mon, 12/12/2005 - 07:06
User Badges:

I fixed it !!


tacacs-server key key-value

fixes it. Key-value = '7 encrypted-value' did not work. What works is: key-value = unencrypted value without a 0 before it.

Richard Burts Mon, 12/12/2005 - 08:01
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

I am glad that you fixed the problem. Mismatched key between the MSFC and the server was one of the possibilities that I pointed out.


If your config had key 7 encrypted-value and you fixed it by entering the key as clear-text, would I be correct in assuming that you did a cut and paste from a router that was working to these MSFC?


HTH


Rick

brian.oflynn Thu, 03/16/2006 - 06:28
User Badges:

Hi, I am having a similar problem with a SAN switch 9216i. I am getting the key mismatch on the ACS Server(3.2) when i try log into the switch. I have confirmed the key is correct on the SAN switch and the ACS Server. When i try to enter the key as clear text using the 0 value, the switch encrypts the key anyway so although I have typed and retyped the password, I can't phsyically see it when it is on the switch. The config seems pretty basic for the SAN Switch. Here is what I typed in:

tacacs+ enable

tacacs-server timeout 30

tacacs-server key 0 password

tacacs-server host 10.10.10.1

I am using SAN OS version 2.1(1b).

Anybody else seen this before?

ppellettiere Thu, 03/16/2006 - 08:43
User Badges:

What I did was specify the intface to use. So I know what IP to configure on the ACS.


I added this command to the switch config.

ip tacacs source-interface Loopback0

Richard Burts Thu, 03/16/2006 - 08:45
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Brian


I am not very fammiliar with the SAN switch, so I can not say if it is common. I would suggest that you try typing the tacacs-server key command without the 0, so just type tacacs-server key


Try it and let us know what happens.


HTH


Rick

brian.oflynn Mon, 03/20/2006 - 00:57
User Badges:

Thanks for the replies, I actually got it working by accident. That key error seemed to be a bit of a red-herring because as soon as I added the line aaa authentication login default group ACS, it started to work!

Actions

This Discussion