Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

ACS 5.2 with tacacs+ can't support Alcatel switch.

I have Some Alcatel Switch and I want to use ACS 5.2's tacscs+ for Alcatel Switch admin authentication.

the Failure Reason:13011 Invalid  TACACS+ request packet - possibly mismatched Shared Secrets

But I was check the share secret is correct.

Before I was tried associated ACS with vision 4.2 is work.

Pls review attachment for the ACS report.

Pls give me suggest.

Everyone's tags (2)
1 ACCEPTED SOLUTION

Accepted Solutions
New Member

Re: ACS 5.2 with tacacs+ can't support Alcatel switch.

Hello,

Can't give you answer, but witch alcatel model/version do you run?

I have the same problem, with, OS6250 (6.6.1.636.R01) and acs5.2 unpatched. I looking for alcatel or acs bugtrack

have you reviewd: PR 144246 on:

http://www.alcadisipsolutions.nl/files/Support_files/Alcatel-Lucent/OmniSwitch/OS6250/Firmware/OS6250%20AOS%206.6.1%20-%206250%20+%206250M%20models/OS6250%20AOS%206.6.1.739%20R01/OS6250%20AOS%206.6.1.739%20R01%20Release%20Notes.pdf

david

16 REPLIES
New Member

Re: ACS 5.2 with tacacs+ can't support Alcatel switch.

Hello,

Can't give you answer, but witch alcatel model/version do you run?

I have the same problem, with, OS6250 (6.6.1.636.R01) and acs5.2 unpatched. I looking for alcatel or acs bugtrack

have you reviewd: PR 144246 on:

http://www.alcadisipsolutions.nl/files/Support_files/Alcatel-Lucent/OmniSwitch/OS6250/Firmware/OS6250%20AOS%206.6.1%20-%206250%20+%206250M%20models/OS6250%20AOS%206.6.1.739%20R01/OS6250%20AOS%206.6.1.739%20R01%20Release%20Notes.pdf

david

New Member

Re: ACS 5.2 with tacacs+ can't support Alcatel switch.

I runing by Switch type OmniSwitch 6850 and software version 6.3.1.1085.R01.

New Member

Re: ACS 5.2 with tacacs+ can't support Alcatel switch.

Hello,

I have updated the ACS ysesterday with Update-8 package (5.2.0.26-8), same problem while tring to authenticate on the Alcatel Switch.

I just changed switch config to bind aaa authentication to an old Acs 3.2. Authentication was sucessful.

I think on a ACS 5.2 problem.

Silver

Re: ACS 5.2 with tacacs+ can't support Alcatel switch.

Hello,

For the shared secret value, is it configured to use the pound sign (#)? For example: cisco#123

If yes, can you change the secret key value on both the Alcatel OmniSwitch and ACS AAA Client Entry with a new shared secret without the # sign? Test authentication again and share the results.

NOTE: If it is using any other special characters can you change it to a test key, "cisco" for example on both sides?

Regards.

New Member

Re: ACS 5.2 with tacacs+ can't support Alcatel switch.

Hello Carlos,

I have tested with a leak shared secret and the authentication was still unsucessefull.

but while trying with no shared password, it worked...

I think on a problem while exchanging chared secret.

But as it seems to work on a ACS 3.2, I still beleave on Acs 5.2 error.

I'm still investigating.

BR.

Silver

Re: ACS 5.2 with tacacs+ can't support Alcatel switch.

Hi,

A good approach at this point would be to configure a SPAN port (Packet Capture) on the ACS switchport and analyze the TACACS+ and TCP packets. Using Wireshark > Edit > Preferences > Protocols > TACACS+ > TACACS+ Encryption Key > type the shared secret value. This will allow you to review the unencrypted packets.

A capture using a Shared Secret and also another one without a key might be helpful in order to compare both the failure and the success.

Regards.

New Member

Re: ACS 5.2 with tacacs+ can't support Alcatel switch.

I'll get the traces tomorrow and give you a feedback.

Thanks.

New Member

Re: ACS 5.2 with tacacs+ can't support Alcatel switch.

Hello,

we have same issues on 6850 and ACS 5.3.0.40.8 which is the 5.3 version with latest updates installed. We have to migrate from 4.2 to 5.3. In version 4.2 all is running and it works fine. Since we try to set up the 5.3 version Omnis failing.

Which Software Release was used on your 6850s (we have on few switches 6.4.4.597.R01 in use and main part of our network 6.4.3.717.R01). Both software versions are refusing the connections after succesful authentication through ACS 5.3. We configured later the ACS and the Omnis with "empty" keys after that the ACS refused the authentication with the message "The TACACS+ request packet was invalid. A likely reason is that the Shared Secret configured in the device and the Shared Secret configured for the Network Device or AAA Client in ACS do not match".

Would be great if you can assist me in how to get this crappy devices to run. Are there special configurations parameters, that must be in place? Special policies or something else?

Alcatel is refusing support and points on Cisco as the origin of the problem so I have to open a additional TAC case now, before they will do any support on their software and devices.

With kind regards

Stefan Bischoff

New Member

Hi StefanDo you know any

Hi Stefan

Do you know any Radius or Tacacs+ server is supporting the ALU switches ? 

Because we only using those devices in our company .

 

 

thanks 

Kaifeng

New Member

Hi Kaifeng, the Cisco ACS 5.x

Hi Kaifeng,

 

the Cisco ACS 5.x will support the Alcatel Omnis with Radius, but if you want to use it with TACACS it will not work. If you decide to use the Radius implementation you have to create the VSA dictionary for authentication AND authorization the user. Additional task is to create the right sequences and order in the policies. The VSA dictionary can be taken directly from ALU Support.

 

Kind regards

 

Stefan

New Member

Re: ACS 5.2 with tacacs+ can't support Alcatel switch.

Thanks you for giving me a direction to solving the case.

So I did it since upgrading the OS of the switch.

New Member

Re: ACS 5.2 with tacacs+ can't support Alcatel switch.

Hello,

Good news, bad news...

I finaly trace the tacacs authentication between :

- ACS5.2 and alcatel with no shared secret

- ACS5.2 and alcatel with shared secret "cisco"

- ACS3.2 and alcatel with shared secret

Unfortunatly, I discover that alcatel seems to encrypt the tacact connexion with an other shared password, because wireshark is not able to decrypt tacacs+ authentication request (wireshark analysis gives "packet malformed").The result of the bad encryption is that the ACS 5.2 does'nt reply to the request. It only acknowledge the packet, without tacacs reply, so th the alcatel send a session FIN.

I have tested the authentication with alcatel and acs 3.2 with a no null secret shared. the difference between 3.2 and 5.2 is that acs 3.2 continue the session sending an tacacs+ password request, even if the shared secret seems different.

Working with this analysis, I asked my support to give me a alcatel update package.

I now beleave that ACS 5.2 is just more strict with tacacs+ protocol than ACS3.2, and that's the reason of authentication fail.

I'll post the next step when i will be able to test with the alcatel update.

BR

David

Silver

Re: ACS 5.2 with tacacs+ can't support Alcatel switch.

Hello David,

Insteresting details indeed. I am looking forward for your response after applying the update to the Alcatel switch.

It seems we are on the right track with this issue now.

Regards.

New Member

Re: ACS 5.2 with tacacs+ can't support Alcatel switch.

Hello,

My last post has not been recorded.

For your information, I Upgraded the Alcatel Switch to 6.6.1.859.R01

The result is that the authentication is now sucessful. The problem was on the switch version (2009).

BR,

David

New Member

hI did you fixed this issue

hI 

did you fixed this issue for ALU switches? 

 

New Member

Hi, no we didn't get it fixed

Hi,

 

no we didn't get it fixed. Alcatel has released new Software 6.4..4.623.R01 for the Omnis, unfortunately the first Switch we tested crashed with the new Software because of Flash Memory failure  and was not recoverable, so we stopped testing. In the meantime our Company decided to replace the Omis Switches with Alcatel ISAM FX which works with the ACS 5.3 (Radius). The Omnis will be sold to People interested in them or resellers on the second market.

 

Kind regards

 

Stefan

3072
Views
5
Helpful
16
Replies
CreatePlease to create content