Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS 4.2 TACACS+ Authen failed. Key Mismatch

I've configured 10 layer 2 switches(C3750-ADVIPSERVICESK9-M), Version 12.2(40)SE), to use TACACS+. They're all using the same key, and are working fine.  I moved onto another 3750 switch located across a point-to-point circuit, a Cisco C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5. I entered the usual configuration, and then entered the key, and tried logging in as a  user, and get authentication failed. I checked the server, and see Key mismatch in the Reports and Activity, Failed Attempts.  I deleted the key, copied and pasted it from notepad, still doesn't work.  Deleted the switch from the Network Device Group in ACS, and then re-added it, pasted a new key, with no special characters. No go.

Here's what the config looks like.

aaa new-model
!
!
aaa authentication login default group tacacs+ enable
aaa authentication login NO_AAA local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated

ip tacacs source-interface FastEthernet0/0

tacacs-server host 10.1.1.1
tacacs-server key 0 itspassword
tacacs-server directed-request


Initially, the password was encrypted, so I changed it to clear text, by typing in the password without the 0, and with the 0.  Neither worked.  Also removed service password-encryption to see  if that would do anything.


I usually SSH to the router, so I changed it to accept telent.  That didn't work.  Changed it back to SSH, re-initialized the rsa keys, and changed it to use SSH2, that didn't work.

Here's  what I get from the logs


Aug 12 11:43:24: TAC+: send AUTHEN/START packet ver=192 id=97563278
Aug 12 11:43:24: TAC+: Using default tacacs server-group "tacacs+" list.
Aug 12 11:43:24: TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
Aug 12 11:43:24: TAC+: Opened TCP/IP handle 0x3663CA0 to 10.219.1.1/49 using source 10.2.2.254
Aug 12 11:43:24: TAC+: 10.1.1.1 (97563278) AUTHEN/START/LOGIN/ASCII queued
Aug 12 11:43:25: TAC+: (97563278) AUTHEN/START/LOGIN/ASCII processed
Aug 12 11:43:25: TAC+: received bad AUTHEN packet: length = 6, expected 80467
Aug 12 11:43:25: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).
Aug 12 11:43:25: TAC+: Closing TCP/IP 0x3663CA0 connection to 10.1.1.1/49
Aug 12 11:43:25: TAC+: Using default tacacs server-group "tacacs+" list.
Aug 12 11:43:37: TAC+: send AUTHEN/START packet ver=192 id=1015854339
Aug 12 11:43:37: TAC+: Using default tacacs server-group "tacacs+" list.
Aug 12 11:43:37: TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
Aug 12 11:43:37: TAC+: Opened TCP/IP handle 0x366AF24 to 10.1.1.1/49 using source 10.2.2.254
Aug 12 11:43:37: TAC+: 10.1.1.1 (1015854339) AUTHEN/START/LOGIN/ASCII queued
Aug 12 11:43:38: TAC+: (1015854339) AUTHEN/START/LOGIN/ASCII processed
Aug 12 11:43:38: TAC+: received bad AUTHEN packet: length = 6, expected 79092
Aug 12 11:43:38: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).
Aug 12 11:43:38: TAC+: Closing TCP/IP 0x366AF24 connection to 10.1.1.1/49
Aug 12 11:43:38: TAC+: Using default tacacs server-group "tacacs+" list.

I looked around on the forum for about 4 hours, trying all the other options that were given to others that had similar issue.  The last key I put in was 123456.  You can't fat finger that one.  The switch log is saying check the key, the firewall is configured to allow all traffic from the AAA client.

1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: ACS 4.2 TACACS+ Authen failed. Key Mismatch

Hi mg green2003,

The group key (of the NDG where your switch belongs to) override the device key. Did you check that one?

greetz,

Julia

5 REPLIES
New Member

Re: ACS 4.2 TACACS+ Authen failed. Key Mismatch

Hi mg green2003,

The group key (of the NDG where your switch belongs to) override the device key. Did you check that one?

greetz,

Julia

New Member

Re: ACS 4.2 TACACS+ Authen failed. Key Mismatch

Julia,

Thanks for you attention to detail.  I breezed through all the layer 2 devices so fast, that I had forgot that there were 2 keys, one for the NDG, and one for the device.  I changed both, and I was able to login.  Thanks so much.  I feel my migrane going away!

New Member

Re: ACS 4.2 TACACS+ Authen failed. Key Mismatch

I'm glad it did help.

New Member

Re: ACS 4.2 TACACS+ Authen failed. Key Mismatch

Dear mg green2003

Try to add the key to the switch and the ACS again with making sure you don't have a space at the end of the key.

Thanks,

New Member

Re: ACS 4.2 TACACS+ Authen failed. Key Mismatch

Yeah, I've done that in the past, with the extra spaces.  I made sure to carefully type in the

password.  The last key I used was 123456.  No extra spaces at all.

4962
Views
0
Helpful
5
Replies
CreatePlease to create content