Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2101
Views
5
Helpful
1
Replies

AAA on ASA 8.2(1) issue

Go to solution
kevin.rose
Level 1
Level 1

‎09-29-2009 08:46 PM - edited ‎03-10-2019 04:42 PM

I'm trying to set up AAA on a new ASA running 8.2(1) and I can't get the ACS (4.2(0) Build 124 Patch 6) and ASA keys to agree for TACACS+. I've done this before on a bunch of systems and it's always been a typo, but I've set both ends to a key of 'a' and it still doesn't work. I get this in the ASA logs:

4 Sep 29 2009 22:03:48 109027 [ TACACS ] Unable to decypher response message Server = x.y.z.a, User = blah

3 Sep 29 2009 22:03:48 109026 [ TACACS ] Invalid reply digest received; shared server key may be mismatched.

and on the ACS box I get:

09/29/2009 22:03:48 Authen failed .. default .. Key Mismatch .. .. .. b.c.d.e

The setting on both sides match up to what other working ASAs have. Is there something in 8.2(1) that changes something?

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎09-30-2009 05:23 AM

Hi,

As you are sure that key is correct on both the sides. I would like you to check this:

On the ACS > Go to Network Configuration > Select the Network Device Group (NDG) under which we have ASA added as AAA client.

Once we are in the Network Device Group take a look at the bottom of the page, you'll see an option which says "Edit Properties", click on that bottom,

Then make sure that we don't have anything configured for "Shared Secret", if we have something, remove it and make this field blank, and then press "Submit"

Then try to authenticate.

Any key defined in above section overrides the key defined on per device basis.

For more detail, please refer,

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/netcfg.htm#wp342738

HTH

JK

~Jatin

View solution in original post

1 Reply 1

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎09-30-2009 05:23 AM

Hi,

As you are sure that key is correct on both the sides. I would like you to check this:

On the ACS > Go to Network Configuration > Select the Network Device Group (NDG) under which we have ASA added as AAA client.

Once we are in the Network Device Group take a look at the bottom of the page, you'll see an option which says "Edit Properties", click on that bottom,

Then make sure that we don't have anything configured for "Shared Secret", if we have something, remove it and make this field blank, and then press "Submit"

Then try to authenticate.

Any key defined in above section overrides the key defined on per device basis.

For more detail, please refer,

http://www.cisco.com/univercd/cc/td/doc/product/access/acs_soft/csacs4nt/acs41/user/netcfg.htm#wp342738

HTH

JK

~Jatin
Customers Also Viewed These Support Documents