Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3117
Views
0
Helpful
2
Replies

ACS says "key mismatch"

linnea.wren
Level 1
Level 1

‎03-12-2006 05:16 PM - edited ‎03-10-2019 02:30 PM

Hi,

Trying to get an msfc2 set up so that authentication occurs on our ACS box.

I've accomplished this on our 3745s. (Had a lot of help getting to that point on the 3745s...)

IOS on 3745s is 12.3(16).

IOS on msfc2 is 12.1(8b)E19.

The problem seems to be the key. ACS shows Authen-Failure-Code = "key mismatch" after each failed attempt to authenticate from the msfc2.

The key command that works on the 3745 is :

tacacs-server key 7 <hidden string>

On the 3745, you can ?, and see this :

# tacacs-server key ?

0 Specifies an UNENCRYPTED key will follow

7 Specifies HIDDEN key will follow

LINE The UNENCRYPTED (cleartext) shared key

But on the msfc2, “tacacs-server key 7 <hidden string>” gets you the ACS error noted above.

On the msfc2, if you ?, you see this :

#tacacs-server key ?

LINE Encryption key string

So, on the msfc2 I’ve tried the following 3 forms of the key command :

tacacs-server key 7 <hidden string>

tacacs-server key <hidden string>

tacacs-server key <clear text string>

All are accepted by IOS. All show up in “sh run”. All result in the ACS error noted above.

Anyone see where I’m going wrong?

Labels:
0 Helpful
2 Replies 2

akemp
Level 5
Level 5

‎03-13-2006 06:53 AM

msfc software is a comprimise at best not all features work as they would on a router. I'm running 12.1 (22)e2 and use clear text string authentication to two ACS boxes.

Here's what I've got running that works just fine:

aaa new-model

aaa group server tacacs+ T1

server 10.X.X.X

!

aaa group server tacacs+ T2

server 10.X.X.X

!

aaa authentication login default local group T1 group T2

aaa authentication enable default enable group T1 group T2

aaa authorization exec default local group T1 group T2

aaa authorization commands 15 default local group T1 group T2

aaa accounting exec default start-stop group T1 group T2

aaa accounting commands 15 default start-stop group T1 group T2

aaa accounting connection default start-stop group T1 group T2

aaa accounting system default start-stop group T1 group T2

enable secret 5 sanitized

***************

ip tacacs source-interface Loopback0

***************

tacacs-server host 10.X.X.X single-connection key ClearText

tacacs-server host 10.X.X.X single-connection key ClearText

tacacs-server timeout 15

no tacacs-server directed-request

0 Helpful

Richard Burts
Hall of Fame
Hall of Fame
In response to akemp

‎03-13-2006 07:31 AM

I believe that what is going on has less to do with differences between the 3745 and the msfc and more to do with version differences and changes in features. The original post indicates these versions are being used:

IOS on 3745s is 12.3(16).

IOS on msfc2 is 12.1(8b)E19.

The key feature in this discussion is the service password-encryption. In earlier versions of code (including 12.1) the use of this feature was for things like the login password on the vty lines, etc. In newer code (like 12.3) the use of the feature expanded and covers things like the tacacs server key. So the 3745 running 12.3 can define the key as crypto text or as clear text. The msfc running 12.1 can only define it as clear text.

I would suggest to the original post that you clear all tacacs keys from the config. Then configure using the tacacs-server key

This should work.

HTH

Rick

HTH

Rick
0 Helpful
Customers Also Viewed These Support Documents