Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1311
Views
0
Helpful
4
Replies

ACE ACS TACACS+ Key Mismatch issue

Paul Pinto
Level 1
Level 1

‎09-14-2009 11:35 PM

Goodday,

I have an issue when trying to setup ACE Modules for TACACS+ and AAA autentication whereby the Failed Authentication reports, state the reason as "Key Mismath".

We have confirmed that the key we are using is the same on the ACE and on the ACS.

The question I have is as follows:

Should the key we enter on the ACE remain as we have typed it, so if we enter mysharedkey as the key should this show as such in the running config or should it show as encrypted? Currently it shows in the running as we have entered it but just adds the 7 before the key and places the key in inverted commas.

So config entered something like this:

tacacs-server host 10.10.10.10 key mysharedkey

aaa group server tacacs+ acs_pri

server 10.10.10.10

aaa authentication login default group acs_pri local none

BTW, we are running version 2.1.4(a).

Thanks for any assitance with this.

Paul

Labels:
0 Helpful
4 Replies 4

huangedmc
Level 3
Level 3

‎09-15-2009 09:05 PM

If you're doing SSH2, can you try the plain old telnet and see if it works?

Also make sure you have "ssh key rsa 1024 force" if doing SSH2.

We had a very similar problem that was caused by a SSH/AAA bug w/ the ACE code. (dont have bugID handy, sorry)

What's strange is it doesn't work w/ SecureCRT, but works w/ Putty for SSH2, and works w/ all programs for telnet.

Lastly, show run shouldn't reveal the actual TACACS key, but something encrypted.

0 Helpful

Paul Pinto
Level 1
Level 1
In response to huangedmc

‎09-15-2009 10:24 PM

Hi Kevin,

Thanks for the reply. I can confirm we have the "ssh key rsa 1024 force". I even tried removing and re-issueing the command.

On the point of the show run revealing the something encrypted instead of the actual TACACS key, this is not what we see, we see the actual key we entred.

This is my concern.

We managed to get his working by checking on the production ACE modules and production ACS, using the "encryped" key we see in that "show run" and locating the key in the production ACS config (which was not under the ACE NDG, but under the ACS server itself's config, which also looks like something encrypted) and using this in the NDG config as the key for our ACE NDG on the test ACS.

The problem arises that every six months or so, securiy requirement, the keys change, and how will we then know what to apply on the ACE if it does not apply the encyption of the key we enter itself.

See my problem...

Thanks again for the assistance and any further guidance would be appreciated.

Paul.

0 Helpful

ciscocsoc
Level 4
Level 4
In response to Paul Pinto

‎09-16-2009 04:29 AM

Hi Paul,

What happens if you explicity force the use of a plaintext key when configuring the ACE. If you use a command of the form:

tacacs-server host x.x.x.x key 0 mysharedkey

it should be taken and then displayed in the running configuration.

e.g. tacacs-server host 1.2.3.4 key 0 wibble

returns:

tacacs-server host 1.2.3.4 key 7 "zefgde"

HTH

Kind Regards

Cathy

0 Helpful

Paul Pinto
Level 1
Level 1
In response to ciscocsoc

‎09-16-2009 04:38 AM

Hi Cathy,

Thanks for the response.

So, if you don't explicitly specify the plaintext option for the key, it "gets confused" and doesn'y encrypt?

Will try, though I beleive we did. (tried so many things) and feedback.

Thanks again.

Paul.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents