Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

AAA auth with Cisco GSS

Hi all

We are having problems with a GSS box here (ver 1.3) which we are trying to auth against ACS 4.1.

Have configured the following on the GSS

tacacs-server timeout 5

tacacs-server host xx.xx.xx.xx port 49 key blahblah

aaa authentication ssh local

config'd ACS with all the same parameters and using tac+

Now using a known working account in ACS (working against multiple other devices) I cannot log into the GSS box. ACS reports "ACS password invalid" when we know it isnt.

Have tcpdump'd the GSS and the tcp keepalives with ACS are good and reports the box as alive

Any ideas???

  • AAA Identity and NAC
3 REPLIES
Silver

Re: AAA auth with Cisco GSS

Does this happen with all the usernames or with a single one. If this happens with a single one then probably the same username is configured with two passwords. Use a different username/password combination to check this. If this happens with all usernames then reinstall ACS and try again.

New Member

Re: AAA auth with Cisco GSS

Hi,

Yes this happens with all usernames both ACS internal and external DB accounts for the GSS.

This error is for the GSS only and the other myriad of devices work OK so a reinstall isnt going to fix this

thanks

New Member

Re: AAA auth with Cisco GSS

Hi - I've just been testing this myself with GSS versions 2.0(2) and 1.3(2).

1.3(2) just doesn't work! I've enabled 'full' service logging on the ACS side and examined the resulting tcs.log. When 1.3(2) tries to authenticate, it seems to be padding the password. I get messages like USER_MSG_LEN=d (0xd), USER_DATA_LEN=13 (0x0) FLAGS=0x0.

However, when I log in through a working TACACS client, the USER_DATA_LEN field has a length equal to the actual password length.

Hope this helps!

Testing on 2.0(2) gets past the initial authentication but I can't manage to get authorized properly yet.

I'm getting

gss1>en

Authorization failed. Admin privilege required.

I've got priv-lvl set to 15 already so I don't see what the problem might be.

368
Views
0
Helpful
3
Replies
This widget could not be displayed.