10-17-2012 09:36 AM - edited 03-10-2019 07:41 PM
I am trying to get my cisco switches to authenticate to our ACS server through TACAS but I am running into a problem when I try to put in the secret key.
Below is an output
aaa new-model
aaa group server tacacs+ VTY
server 10.1.10.99
server-private 10.1.10.99 key BrAqaq4h
ip tacacs source-interface Vlan99
aaa authentication login VTY group VTY local
aaa authorization exec VTY group tacacs+ if-authenticated
aaa accounting commands 1 default start-stop group VTY
aaa accounting commands 15 default start-stop group VTY
aaa session-id common
Whenever I try to make the server-private key 7 BrAqaq4h I get the error
server-private 10.1.10.99 key 7 BrAqaq4h
%Invalid encrypted key: BrAqaq4h
I don't know if this is the reason I cannot authenticate with AD but on the server ACS that is the key it has under every other device that is working.
aaa new-model
aaa group server tacacs+ VTY
server 10.1.10.99
server-private 10.1.10.99 key 7 0529142E304D5F5D11
ip tacacs source-interface Vlan99
aaa authentication login VTY group VTY local
aaa authorization exec VTY group tacacs+ if-authenticated
aaa accounting commands 1 default start-stop group VTY
aaa accounting commands 15 default start-stop group VTY
aaa session-id common
The last output is a device where I can authenticate correctly. Does anyone have any ideas as to why this doesn't work? The vty settings on both devices are the same.
line vty 0 4
privilege level 15
logging synchronous
login authentication VTY
transport input all
10-17-2012 10:10 AM
I was able to authenticate with the following commands, I'm just wondering why the above didn't work.
tacacs-server host 10.1.10.99
tacacs-server directed-request
tacacs-server key 7 047919271E205D1A01
10-24-2012 10:37 PM
Hi Jeff,
If you use the command, "server-private key 7
So if you are planning to enter your shared secret in plain text, try using the command "server-private key 0
If after entering the shared secret in plain text (using the 0 or no number) and if you are facing issue in authentication, then check the failed attempts logs in the tacacs+ server which should give you the hint of the issue.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: