cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2583
Views
0
Helpful
2
Replies

AAA authenticate to ACS Server

jefbowli
Level 1
Level 1

I am trying to get my cisco switches to authenticate to our ACS server through TACAS but I am running into a problem when I try to put in the secret key.

Below is an output

aaa new-model

aaa group server tacacs+ VTY

server 10.1.10.99

server-private 10.1.10.99 key BrAqaq4h

ip tacacs source-interface Vlan99

aaa authentication login VTY group VTY local

aaa authorization exec VTY group tacacs+ if-authenticated

aaa accounting commands 1 default start-stop group VTY

aaa accounting commands 15 default start-stop group VTY

aaa session-id common

Whenever I try to make the server-private key 7 BrAqaq4h I get the error

server-private 10.1.10.99 key 7 BrAqaq4h

%Invalid encrypted key: BrAqaq4h

I don't know if this is the reason I cannot authenticate with AD but on the server ACS that is the key it has under every other device that is working.

aaa new-model

aaa group server tacacs+ VTY

server 10.1.10.99

server-private 10.1.10.99 key 7 0529142E304D5F5D11

ip tacacs source-interface Vlan99

aaa authentication login VTY group VTY local

aaa authorization exec VTY group tacacs+ if-authenticated

aaa accounting commands 1 default start-stop group VTY

aaa accounting commands 15 default start-stop group VTY

aaa session-id common

The last output is a device where I can authenticate correctly.  Does anyone have any ideas as to why this doesn't work?  The vty settings on both devices are the same.

line vty 0 4

privilege level 15

logging synchronous

login authentication VTY

transport input all

2 Replies 2

jefbowli
Level 1
Level 1

I was able to authenticate with the following commands, I'm just wondering why the above didn't work.

tacacs-server host 10.1.10.99

tacacs-server directed-request

tacacs-server key 7 047919271E205D1A01

Hi Jeff,

If you use the command, "server-private key 7 " command, then the string that is entered is considered to be encrypted text. If no number or 0 is entered, the string that is entered is considered to be plain text.

So if you are planning to enter your shared secret in plain text, try using the command "server-private key 0 " or "server-private key ".

If after entering the shared secret in plain text (using the 0 or no number) and if you are facing issue in authentication, then check the failed attempts logs in the tacacs+ server which should give you the hint of the issue.