Re: CiscoSecure ACS v4.2

janet.maxwell · ‎10-09-2009

Hello, just installedCiscoSecure ACS v4.2 appliance, I configured a test switch for TACACS access and notice I am getting a AUTHENTICATION FAILURE, i turned on debugging and it seemingly is a key issue. I checked the key and the issue persist. I think this may have something to do with internal Databse issue. What could possible be wrong with the key. The key on the switch is the same as on the ACS server, has anyone seen this issue.

capture from debug:

Oct 9 15:17:40.629 EDT: AAA: parse name=tty2 idb type=-1 tty=-1

Oct 9 15:17:40.629 EDT: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter

=0 port=2 channel=0

Oct 9 15:17:40.629 EDT: AAA/MEMORY: create_user (0x27BA528) user='NULL' ruser='

NULL' ds0=0 port='tty2' rem_addr='10.1.201.230' authen_type=ASCII service=LOGIN

priv=1 initial_task_id='0', vrf= (id=0)

Oct 9 15:17:40.629 EDT: AAA/AUTHEN/START (3776087011): port='tty2' list='' acti

on=LOGIN service=LOGIN

Oct 9 15:17:40.629 EDT: AAA/AUTHEN/START (3776087011): using "default" list

Oct 9 15:17:40.629 EDT: AAA/AUTHEN/START (3776087011): Method=tacacs+ (tacacs+)

Oct 9 15:17:40.629 EDT: TAC+: send AUTHEN/START packet ver=192 id=3776087011

Oct 9 15:17:40.629 EDT: TAC+: Using default tacacs server-group "tacacs+" list.

Oct 9 15:17:40.629 EDT: TAC+: Opening TCP/IP to 10.9.100.161/49 timeout=90

Oct 9 15:17:40.637 EDT: TAC+: Opened TCP/IP handle 0x2735E24 to 10.9.100.161/49

Oct 9 15:17:40.637 EDT: TAC+: 10.9.100.161 (3776087011) AUTHEN/START/LOGIN/ASCI

I queued

Oct 9 15:17:40.839 EDT: TAC+: (3776087011) AUTHEN/START/LOGIN/ASCII processed

Oct 9 15:17:40.839 EDT: TAC+: received bad AUTHEN packet: length = 6, expected

66610

Oct 9 15:17:40.839 EDT: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check ke

ys).

Oct 9 15:17:40.839 EDT: TAC+: Closing TCP/IP 0x2735E24 connection to 10.9.100.1

61/49

Oct 9 15:17:40.839 EDT: TAC+: Using default tacacs server-group "tacacs+" list.

Oct 9 15:17:40.839 EDT: AAA/AUTHEN (3776087011): status = ERROR

Oct 9 15:17:40.839 EDT: AAA/AUTHEN/START (3776087011): Method=LOCAL

Oct 9 15:17:40.839 EDT: AAA/AUTHEN (3776087011): status = GETUSER

Oct 9 15:17:50.972 EDT: AAA/AUTHEN/CONT (3776087011): continue_login (user='(un

def)')

Oct 9 15:17:50.972 EDT: AAA/AUTHEN (3776087011): status = GETUSER

Oct 9 15:17:50.972 EDT: AAA/AUTHEN/CONT (3776087011): Method=LOCAL

Oct 9 15:17:50.972 EDT: AAA/AUTHEN (3776087011): status = GETPASS

Oct 9 15:17:54.336 EDT: AAA/AUTHEN/CONT (3776087011): continue_login (user='jma

xwell')

Oct 9 15:17:54.336 EDT: AAA/AUTHEN (3776087011): status = GETPASS

Oct 9 15:17:54.336 EDT: AAA/AUTHEN/CONT (3776087011): Method=LOCAL

ALSO i ADDED THE COMMANDS BELOW:

aaa authentication login default group tacacs+ local

aaa authentication login MMC group tacacs+

aaa authentication login mmc group tacacs+

aaa authentication ppp default if-needed group tacacs+ local

aaa authorization network default group tacacs+ if-authenticated

---

tacacs-server host 10.9.100.161

tacacs-server timeout 90

no tacacs-server directed-request

tacacs-server key 7 01100F175804

!

Jatin Katyal · ‎10-09-2009

Hi,

If you have verified the shared secret key on the AAA/switch entry.

Go to Network Configuration > Select the Network Device Group (NDG) under which we have our switch registered.

Once we are in the Network Device Group in which we have our switch registered, take a look at the bottom of the page, you'll see an option which says "Edit Properties", clik on that botton,

Then make sure that we don't have anything configured for "Shared Secret", if we have something, remove it and make this field blank, and then press "Submit"

Then try to authenticate.

HTH

JK

Plz rate helpful posts.

~Jatin

janet.maxwell · ‎10-15-2009

I did have a "Shared secret" configured which was not able to delete without a error. So what i did was delete the group and the AAA client then crecreated them, now it works. Thanks this worked