Loss of TACACS key after harddisk failure

PETER GEHRMANN · ‎01-10-2011

Our WAE/WAVEs in the field are configured for TACACS Autherntication. During harddisk failures we could not access the devices. The ACS logs a invalid TACACS secret. In running-config the "tacacs key ****" statement is missing. The statement still could be found in the startup-config.

Is the "tacacs key" statement dependent on the harddisk?

pevaneyn · ‎01-17-2011

Hello Peter,

As you know most WAE devices contain both a flash disk and real local disks. Some WAE models can boot without local disks, but some functionality will be missing, like obviously the AO and TFO systems, but also for example ssh and remote authentication.

Diskless mode is mainly intended to get access to the device to confirm that the disks are dead. After replacing the disks you should use a recovery CD to reinstall the software on the device, or use 'copy ftp install' which might work (I have no tried this yet).

I hope that this helps.

Best regards, Peter

PETER GEHRMANN · ‎01-19-2011

Hello,

The internal WAAS TACACS setup causes a vicious circle. Authentication is required to access a devices for troubleshooting. But Authentications fails with a strict TACACS policy. In the meanwhile we find out the we can access the WAVE/WAE when authentication failover is disabled. With this change the WAE switches to the backup authentication method even when the password is wrong. This workaround allows access during disk failure situations. The workaround is in conflict with a our security policy and we now are checking via TAC if the WAE behavior is a feature or a bug.

Kind regards Peter