03-24-2004 07:52 AM - edited 03-10-2019 07:43 AM
I use 2 ACS: primary and secondary. Database is replicated from primary to secondary. Cisco routers are configured to use group of servers. Secret keys are the same for both primary and secondary.
Sometimes Cisco routers can not authenticate on secondary server when primary is turned off. ACS logs that "keys are mismatched".
How it may be solved?
03-30-2004 05:32 PM
May be you can try rebuilding the system, readding it to your domain, reconfigur it, and it might work.
03-30-2004 11:47 PM
I've worked for 3 years with Cisco ACSs, and if it says that the keys are mismatched, then they definitely are not the same.
I'm sorry it this looks like something you've already done, if you set up all this that it must work.
1. ping the second acs from the router but with an ip address of the source interface for tacacs authentication (ip tacacs source-interface ....)
2. Make shure the key on a router is what is should be:
tacacs-server key xxxx
or
tacacs-server host x.x.x.x key xxxx
3. In Network Configuration\Network Device Group choose the router you want to check. In the Key section of the next screen there should be the same key (xxxx).
4. Submit+Restart
If there aren't any access-lists this will work.
p.s. I noticed a certain bug regarding ip tacacs source-interface command, so make shure the request is realy comming from interface you intended.
04-06-2004 04:55 AM
Thank you.
There were hidden space symbol after keys in
Cisco router configuration.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide