09-14-2009 11:35 PM
Goodday,
I have an issue when trying to setup ACE Modules for TACACS+ and AAA autentication whereby the Failed Authentication reports, state the reason as "Key Mismath".
We have confirmed that the key we are using is the same on the ACE and on the ACS.
The question I have is as follows:
Should the key we enter on the ACE remain as we have typed it, so if we enter mysharedkey as the key should this show as such in the running config or should it show as encrypted? Currently it shows in the running as we have entered it but just adds the 7 before the key and places the key in inverted commas.
So config entered something like this:
tacacs-server host 10.10.10.10 key mysharedkey
aaa group server tacacs+ acs_pri
server 10.10.10.10
aaa authentication login default group acs_pri local none
BTW, we are running version 2.1.4(a).
Thanks for any assitance with this.
Paul
09-15-2009 09:05 PM
If you're doing SSH2, can you try the plain old telnet and see if it works?
Also make sure you have "ssh key rsa 1024 force" if doing SSH2.
We had a very similar problem that was caused by a SSH/AAA bug w/ the ACE code. (dont have bugID handy, sorry)
What's strange is it doesn't work w/ SecureCRT, but works w/ Putty for SSH2, and works w/ all programs for telnet.
Lastly, show run shouldn't reveal the actual TACACS key, but something encrypted.
09-15-2009 10:24 PM
Hi Kevin,
Thanks for the reply. I can confirm we have the "ssh key rsa 1024 force". I even tried removing and re-issueing the command.
On the point of the show run revealing the something encrypted instead of the actual TACACS key, this is not what we see, we see the actual key we entred.
This is my concern.
We managed to get his working by checking on the production ACE modules and production ACS, using the "encryped" key we see in that "show run" and locating the key in the production ACS config (which was not under the ACE NDG, but under the ACS server itself's config, which also looks like something encrypted) and using this in the NDG config as the key for our ACE NDG on the test ACS.
The problem arises that every six months or so, securiy requirement, the keys change, and how will we then know what to apply on the ACE if it does not apply the encyption of the key we enter itself.
See my problem...
Thanks again for the assistance and any further guidance would be appreciated.
Paul.
09-16-2009 04:29 AM
Hi Paul,
What happens if you explicity force the use of a plaintext key when configuring the ACE. If you use a command of the form:
tacacs-server host x.x.x.x key 0 mysharedkey
it should be taken and then displayed in the running configuration.
e.g. tacacs-server host 1.2.3.4 key 0 wibble
returns:
tacacs-server host 1.2.3.4 key 7 "zefgde"
HTH
Kind Regards
Cathy
09-16-2009 04:38 AM
Hi Cathy,
Thanks for the response.
So, if you don't explicitly specify the plaintext option for the key, it "gets confused" and doesn'y encrypt?
Will try, though I beleive we did. (tried so many things) and feedback.
Thanks again.
Paul.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide