ACS 4.2 TACACS+ Authen failed. Key Mismatch

mg_green2003 — Mon, 11 Mar 2019 00:19:53 GMT

I've configured 10 layer 2 switches(C3750-ADVIPSERVICESK9-M), Version 12.2(40)SE), to use TACACS+. They're all using the same key, and are working fine. I moved onto another 3750 switch located across a point-to-point circuit, a Cisco C3750 Software (C3750-IPBASEK9-M), Version 12.2(35)SE5. I entered the usual configuration, and then entered the key, and tried logging in as a user, and get authentication failed. I checked the server, and see Key mismatch in the Reports and Activity, Failed Attempts. I deleted the key, copied and pasted it from notepad, still doesn't work. Deleted the switch from the Network Device Group in ACS, and then re-added it, pasted a new key, with no special characters. No go.

Here's what the config looks like.

aaa new-model
!
!
aaa authentication login default group tacacs+ enable
aaa authentication login NO_AAA local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated

ip tacacs source-interface FastEthernet0/0

tacacs-server host 10.1.1.1
tacacs-server key 0 itspassword
tacacs-server directed-request

Initially, the password was encrypted, so I changed it to clear text, by typing in the password without the 0, and with the 0. Neither worked. Also removed service password-encryption to see if that would do anything.

I usually SSH to the router, so I changed it to accept telent. That didn't work. Changed it back to SSH, re-initialized the rsa keys, and changed it to use SSH2, that didn't work.

Here's what I get from the logs

Aug 12 11:43:24: TAC+: send AUTHEN/START packet ver=192 id=97563278
Aug 12 11:43:24: TAC+: Using default tacacs server-group "tacacs+" list.
Aug 12 11:43:24: TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
Aug 12 11:43:24: TAC+: Opened TCP/IP handle 0x3663CA0 to 10.219.1.1/49 using source 10.2.2.254
Aug 12 11:43:24: TAC+: 10.1.1.1 (97563278) AUTHEN/START/LOGIN/ASCII queued
Aug 12 11:43:25: TAC+: (97563278) AUTHEN/START/LOGIN/ASCII processed
Aug 12 11:43:25: TAC+: received bad AUTHEN packet: length = 6, expected 80467
Aug 12 11:43:25: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).
Aug 12 11:43:25: TAC+: Closing TCP/IP 0x3663CA0 connection to 10.1.1.1/49
Aug 12 11:43:25: TAC+: Using default tacacs server-group "tacacs+" list.
Aug 12 11:43:37: TAC+: send AUTHEN/START packet ver=192 id=1015854339
Aug 12 11:43:37: TAC+: Using default tacacs server-group "tacacs+" list.
Aug 12 11:43:37: TAC+: Opening TCP/IP to 10.1.1.1/49 timeout=5
Aug 12 11:43:37: TAC+: Opened TCP/IP handle 0x366AF24 to 10.1.1.1/49 using source 10.2.2.254
Aug 12 11:43:37: TAC+: 10.1.1.1 (1015854339) AUTHEN/START/LOGIN/ASCII queued
Aug 12 11:43:38: TAC+: (1015854339) AUTHEN/START/LOGIN/ASCII processed
Aug 12 11:43:38: TAC+: received bad AUTHEN packet: length = 6, expected 79092
Aug 12 11:43:38: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).
Aug 12 11:43:38: TAC+: Closing TCP/IP 0x366AF24 connection to 10.1.1.1/49
Aug 12 11:43:38: TAC+: Using default tacacs server-group "tacacs+" list.

I looked around on the forum for about 4 hours, trying all the other options that were given to others that had similar issue. The last key I put in was 123456. You can't fat finger that one. The switch log is saying check the key, the firewall is configured to allow all traffic from the AAA client.

Re: ACS 4.2 TACACS+ Authen failed. Key Mismatch

j.kokorina — Tue, 17 Aug 2010 13:52:51 GMT

Hi mg green2003,

The group key (of the NDG where your switch belongs to) override the device key. Did you check that one?

greetz,

Julia

Re: ACS 4.2 TACACS+ Authen failed. Key Mismatch

Ahmad Samir — Wed, 18 Aug 2010 08:12:36 GMT

Dear mg green2003

Try to add the key to the switch and the ACS again with making sure you don't have a space at the end of the key.

Thanks,

Re: ACS 4.2 TACACS+ Authen failed. Key Mismatch

mg_green2003 — Wed, 18 Aug 2010 15:10:48 GMT

Yeah, I've done that in the past, with the extra spaces. I made sure to carefully type in the

password. The last key I used was 123456. No extra spaces at all.

Re: ACS 4.2 TACACS+ Authen failed. Key Mismatch

mg_green2003 — Wed, 18 Aug 2010 15:25:53 GMT

Julia,

Thanks for you attention to detail. I breezed through all the layer 2 devices so fast, that I had forgot that there were 2 keys, one for the NDG, and one for the device. I changed both, and I was able to login. Thanks so much. I feel my migrane going away!

Re: ACS 4.2 TACACS+ Authen failed. Key Mismatch

j.kokorina — Thu, 19 Aug 2010 09:14:15 GMT

I'm glad it did help.

topic Re: ACS 4.2 TACACS+ Authen failed. Key Mismatch in Network Access Control

ACS 4.2 TACACS+ Authen failed. Key Mismatch

Re: ACS 4.2 TACACS+ Authen failed. Key Mismatch

Re: ACS 4.2 TACACS+ Authen failed. Key Mismatch

Re: ACS 4.2 TACACS+ Authen failed. Key Mismatch

Re: ACS 4.2 TACACS+ Authen failed. Key Mismatch

Re: ACS 4.2 TACACS+ Authen failed. Key Mismatch