Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1049
Views
0
Helpful
4
Replies

Cisco ACS authentication problems

Go to solution
Wayne Cromwell
Level 1
Level 1

‎09-02-2009 06:18 AM - edited ‎03-10-2019 04:40 PM

Hi All,

I just setup my ACS server for Windows. It running software version 4.1. I having problems authenticating. I have my AAA Clients setup in the ACS gui use tacacs to authenticate. I the switch key and ACS server keys matching. I have users setup. Here is my AAA config on the switch..

aaa new-model

aaa authentication login default group tacacs+ local

aaa authentication enable default group tacacs+ enable

Here is the debug info on tacacs

183757: Sep 2 10:14:22.131 edt: TAC+: send AUTHEN/START packet ver=192 id=2789804961

183758: Sep 2 10:14:22.131 edt: TAC+: Using default tacacs server-group "tacacs+" list.

183759: Sep 2 10:14:22.131 edt: TAC+: Opening TCP/IP to 10.11.8.200/49 timeout=5

183760: Sep 2 10:14:22.135 edt: TAC+: Opened TCP/IP handle 0x80E767B8 to 10.11.8.200/49

183761: Sep 2 10:14:22.135 edt: TAC+: 10.11.8.200 (2789804961) AUTHEN/START/LOGIN/ASCII queued

183762: Sep 2 10:14:22.335 edt: TAC+: (2789804961) AUTHEN/START/LOGIN/ASCII processed

183763: Sep 2 10:14:22.335 edt: TAC+: received bad AUTHEN packet: length = 6, expected 128683

WC2950-12#

183764: Sep 2 10:14:22.335 edt: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).

183765: Sep 2 10:14:22.335 edt: TAC+: Closing TCP/IP 0x80E767B8 connection to 10.11.8.200/49

183766: Sep 2 10:14:22.339 edt: TAC+: Using default tacacs server-group "tacacs+" list.

183767: Sep 2 10:14:22.339 edt: SSH1: password authentication failed for wcromwell

I have same keys on the AAA server as I do on my switch..

Thanks

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎09-02-2009 06:59 AM

Please check the NDG secret key and aaa client key. NDG override aaa client key.

Make sure you have correct key in NDG>

Regards,

~JG

Do rate helpful posts

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Jagdeep Gambhir
Level 10
Level 10

‎09-02-2009 06:59 AM

Please check the NDG secret key and aaa client key. NDG override aaa client key.

Make sure you have correct key in NDG>

Regards,

~JG

Do rate helpful posts

0 Helpful

Go to solution
Wayne Cromwell
Level 1
Level 1
In response to Jagdeep Gambhir

‎09-02-2009 08:11 AM

That all set! thanks... I have accounting questioned. I set accounting for commands in the switch . Were do I view the report in ACS? In the Report and Activity I don't see the report for commands. I click on Tacacs+ Accounting but that report doesn't have any of the commands that I have used. If I debug AAA i do see AAA recording the commands.

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to Wayne Cromwell

‎09-02-2009 08:18 AM

Here are the command you need on IOS

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 aaa-list start-stop group tacacs+

aaa accounting commands 15 aaa-list start-stop group tacacs+

These logs are stored in tacacs administration report, so make sure you are checking the correct head.

Still it is not working then check acs code. Incase it is 4.1.1 then you need to apply patch 5 to fix it.

To download patch for appliance,

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-soleng-3des

For windows

http://www.cisco.com/cgi-bin/tablebuild.pl/acs-win-3des

Regards,

~JG

Do rate helpful posts

0 Helpful

Go to solution
Wayne Cromwell
Level 1
Level 1
In response to Jagdeep Gambhir

‎09-02-2009 09:30 AM

Thanks, Thanks worked!

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents