Re: Authentication fails with secondary ACS

yliaskovski · ‎03-24-2004

I use 2 ACS: primary and secondary. Database is replicated from primary to secondary. Cisco routers are configured to use group of servers. Secret keys are the same for both primary and secondary.

Sometimes Cisco routers can not authenticate on secondary server when primary is turned off. ACS logs that "keys are mismatched".

How it may be solved?

umedryk · ‎03-30-2004

May be you can try rebuilding the system, readding it to your domain, reconfigur it, and it might work.

p.dimitrije · ‎03-30-2004

I've worked for 3 years with Cisco ACSs, and if it says that the keys are mismatched, then they definitely are not the same.

I'm sorry it this looks like something you've already done, if you set up all this that it must work.

1. ping the second acs from the router but with an ip address of the source interface for tacacs authentication (ip tacacs source-interface ....)

2. Make shure the key on a router is what is should be:

tacacs-server key xxxx

or

tacacs-server host x.x.x.x key xxxx

3. In Network Configuration\Network Device Group choose the router you want to check. In the Key section of the next screen there should be the same key (xxxx).

4. Submit+Restart

If there aren't any access-lists this will work.

p.s. I noticed a certain bug regarding ip tacacs source-interface command, so make shure the request is realy comming from interface you intended.

yliaskovski · ‎04-06-2004

Thank you.

There were hidden space symbol after keys in

Cisco router configuration.