cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2443
Views
0
Helpful
2
Replies

AAA authenticate to ACS Server

jefbowli
Level 1
Level 1

I am trying to get my cisco switches to authenticate to our ACS server through TACAS but I am running into a problem when I try to put in the secret key.

Below is an output

aaa new-model

aaa group server tacacs+ VTY

server 10.1.10.99

server-private 10.1.10.99 key BrAqaq4h

ip tacacs source-interface Vlan99

aaa authentication login VTY group VTY local

aaa authorization exec VTY group tacacs+ if-authenticated

aaa accounting commands 1 default start-stop group VTY

aaa accounting commands 15 default start-stop group VTY

aaa session-id common

Whenever I try to make the server-private key 7 BrAqaq4h I get the error

server-private 10.1.10.99 key 7 BrAqaq4h

%Invalid encrypted key: BrAqaq4h

I don't know if this is the reason I cannot authenticate with AD but on the server ACS that is the key it has under every other device that is working.

aaa new-model

aaa group server tacacs+ VTY

server 10.1.10.99

server-private 10.1.10.99 key 7 0529142E304D5F5D11

ip tacacs source-interface Vlan99

aaa authentication login VTY group VTY local

aaa authorization exec VTY group tacacs+ if-authenticated

aaa accounting commands 1 default start-stop group VTY

aaa accounting commands 15 default start-stop group VTY

aaa session-id common

The last output is a device where I can authenticate correctly.  Does anyone have any ideas as to why this doesn't work?  The vty settings on both devices are the same.

line vty 0 4

privilege level 15

logging synchronous

login authentication VTY

transport input all

2 Replies 2

jefbowli
Level 1
Level 1

I was able to authenticate with the following commands, I'm just wondering why the above didn't work.

tacacs-server host 10.1.10.99

tacacs-server directed-request

tacacs-server key 7 047919271E205D1A01

Hi Jeff,

If you use the command, "server-private key 7 " command, then the string that is entered is considered to be encrypted text. If no number or 0 is entered, the string that is entered is considered to be plain text.

So if you are planning to enter your shared secret in plain text, try using the command "server-private key 0 " or "server-private key ".

If after entering the shared secret in plain text (using the 0 or no number) and if you are facing issue in authentication, then check the failed attempts logs in the tacacs+ server which should give you the hint of the issue.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: