topic AAA authenticate to ACS Server in Network Access Control

AAA authenticate to ACS Server

jefbowli — Mon, 11 Mar 2019 02:41:12 GMT

I am trying to get my cisco switches to authenticate to our ACS server through TACAS but I am running into a problem when I try to put in the secret key.

Below is an output

aaa new-model

aaa group server tacacs+ VTY

server 10.1.10.99

server-private 10.1.10.99 key BrAqaq4h

ip tacacs source-interface Vlan99

aaa authentication login VTY group VTY local

aaa authorization exec VTY group tacacs+ if-authenticated

aaa accounting commands 1 default start-stop group VTY

aaa accounting commands 15 default start-stop group VTY

aaa session-id common

Whenever I try to make the server-private key 7 BrAqaq4h I get the error

server-private 10.1.10.99 key 7 BrAqaq4h

%Invalid encrypted key: BrAqaq4h

I don't know if this is the reason I cannot authenticate with AD but on the server ACS that is the key it has under every other device that is working.

aaa new-model

aaa group server tacacs+ VTY

server 10.1.10.99

server-private 10.1.10.99 key 7 0529142E304D5F5D11

ip tacacs source-interface Vlan99

aaa authentication login VTY group VTY local

aaa authorization exec VTY group tacacs+ if-authenticated

aaa accounting commands 1 default start-stop group VTY

aaa accounting commands 15 default start-stop group VTY

aaa session-id common

The last output is a device where I can authenticate correctly. Does anyone have any ideas as to why this doesn't work? The vty settings on both devices are the same.

line vty 0 4

privilege level 15

logging synchronous

transport input all

AAA authenticate to ACS Server

jefbowli — Wed, 17 Oct 2012 17:10:01 GMT

I was able to authenticate with the following commands, I'm just wondering why the above didn't work.

tacacs-server host 10.1.10.99

tacacs-server directed-request

tacacs-server key 7 047919271E205D1A01

AAA authenticate to ACS Server

Karthik Chandran — Thu, 25 Oct 2012 05:37:20 GMT

Hi Jeff,

If you use the command, "server-private key 7 " command, then the string that is entered is considered to be encrypted text. If no number or 0 is entered, the string that is entered is considered to be plain text.

So if you are planning to enter your shared secret in plain text, try using the command "server-private key 0 " or "server-private key ".

If after entering the shared secret in plain text (using the 0 or no number) and if you are facing issue in authentication, then check the failed attempts logs in the tacacs+ server which should give you the hint of the issue.