Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7174
Views
30
Helpful
10
Replies

ISE 2.6.0.156 Patch 7, Error: 13078

Go to solution
GlennF
Level 1
Level 1

‎08-28-2020 05:16 PM

I have been tasked to manually move all devices using TACACS+ authentication on an ACS 5.3.0.40 to ISE 2.6 (Patch 7).  I have moved a majority of our switches and routers to ISE successfully and I am currently attempting to move two Nexus 5548 switches.  When I change the config on the Nexus 5548 to add the new TACACS server host (ISE) and remove the old ACS hosts, an error pops up in the TACACS+ logs on ISE:

 

13078 Invalid TACACS+ authorization request packet - possibly malformed packet

 

The following is the old config on the 5548:

 

tacacs-server host <ip of ACS host 1> key 7 "shared secret"
tacacs-server host <ip of ACS host 2> key 7 "shared secret"
aaa group server tacacs+ ACS-SERVERS
  server <ip of ACS host 1>
  server <ip of ACS host 2>

 

The following is the new config I inputted:

 

tacacs-server host <ip of ACS host 3> key 7 "shared secret"
aaa group server tacacs+ ACS-SERVERS
  server <ip of ACS host 3>

 

And the aaa section remained untouched:

 

aaa authentication login default group ACS-SERVERS local
aaa authentication login console group ACS-SERVERS local
aaa authorization config-commands default group ACS-SERVERS local
aaa authorization commands default group ACS-SERVERS local
aaa accounting default group ACS-SERVERS

 

This is something new to me and I feel lucky that I was able to move the other switches and routers with little issues but I am stumped with these devices.  Could there be a bug on the current version of ISE that we have installed or do I have something misconfigured somewhere else?

1 person had this problem
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to GlennF

‎09-01-2020 04:18 PM

Just to be clear, when you use the 'key 7' option for configuring the shared secret, the switch is expecting the encrypted text for the shared secret. If you are inputting the clear-text shared secret (i.e. 'cisco123) using the 'key 7' option, this will not work.

If you have not already done so, I would suggest removing the tacacs-server configuration and re-configuring it using the following command syntax.

tacacs-server host <ip of ISE> key 0 <clear-text secret>

If that still does not solve your issue, I would suggest opening a TAC case to gather debugs and information necessary to investigate further.

 

View solution in original post

Go to solution
harikish21
Level 1
Level 1
In response to harikish21

‎11-12-2020 10:52 PM

I was able to resolve this issue with the help of TAC, it was a mismatch secret. The error message in ISE was misleading. 

 

May be a different issue for you, I pushed the config onto Nexus via DCNM. DCNM expects encrypted key to enter the config, which i copied from a catalyst switch. Looks like the type 7 encryption on Nexus is different than Catalyst switches, when i replaced the key with an encrypted key by Nexus, it worked.

 

FYI, i have not added tacacs key global command and also tacacs source interface global command. All commands were specific to either group or tacacs-server.

 

Good luck with your problem.

View solution in original post

10 Replies 10

Go to solution
Marcelo Morais
VIP
VIP

‎08-29-2020 06:30 PM

Hi @GlennF 

 

 did you take a look at Nexus 5548 logs? For example: 

 

debug tacacs all

 

Best regards.

 

0 Helpful

Go to solution
GlennF
Level 1
Level 1
In response to Marcelo Morais

‎09-01-2020 02:03 PM

Thank you for your advice.

 

I ran the debug as you suggested when it was pointing to the new ISE host server and took capture of the output.  I then did the same when it was pointing to the old ACS servers.  I compared the two and there are some differences but not sure what to look for that would be causing the issue.

0 Helpful

Go to solution
Marcelo Morais
VIP
VIP
In response to GlennF

‎09-02-2020 07:43 PM

Hi,

 could you please share the debug output?

 

Best regards.

0 Helpful

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee

‎08-30-2020 05:11 PM

Have a look at the Nexus Platform section of the Cisco ISE Device Administration Prescriptive Deployment Guide and compare it to your Nexus and ISE configuration. You may be missing the following option or some other configuration.

aaa authentication login ascii-authentication

 

0 Helpful

Go to solution
GlennF
Level 1
Level 1
In response to Greg Gibbs

‎09-01-2020 01:56 PM

Thank you for your advice.  I inputted your suggestion in the appropriate section and it still did not work. 

0 Helpful

Go to solution
poongarg
Cisco Employee
Cisco Employee

‎08-30-2020 08:37 PM

Check if you have configured tacacs global shared secret key using below command:

tacacs-server key 7 "xxxxxx"

 

If it is there then remove it and test again.

0 Helpful

Go to solution
GlennF
Level 1
Level 1
In response to poongarg

‎09-01-2020 01:54 PM

Thank you for your advice.  The following command is what we have inputted for the ACS servers:

 

tacacs-server host <ip of ACS host 1> key 7 "shared secret"
tacacs-server host <ip of ACS host 2> key 7 "shared secret"
aaa group server tacacs+ ACS-SERVERS
  server <ip of ACS host 1>
  server <ip of ACS host 2>

 

When I input the new ISE server (and removed the old ACS servers) along with adding it to the aaa TACACS+ group server, it did not  work:

 

tacacs-server host <ip of ACS host 3> key 7 "shared secret"
aaa group server tacacs+ ACS-SERVERS
  server <ip of ACS host 3>

 

 

Go to solution
Greg Gibbs
Cisco Employee
Cisco Employee
In response to GlennF

‎09-01-2020 04:18 PM

Just to be clear, when you use the 'key 7' option for configuring the shared secret, the switch is expecting the encrypted text for the shared secret. If you are inputting the clear-text shared secret (i.e. 'cisco123) using the 'key 7' option, this will not work.

If you have not already done so, I would suggest removing the tacacs-server configuration and re-configuring it using the following command syntax.

tacacs-server host <ip of ISE> key 0 <clear-text secret>

If that still does not solve your issue, I would suggest opening a TAC case to gather debugs and information necessary to investigate further.

 

Go to solution
harikish21
Level 1
Level 1

‎11-12-2020 09:15 PM

Hi Glen, did you find your luck? I am facing the same issue with Nexus 9K switches with ISE 2.7, tried all the suggestions provided in this group. ISE logs " 13078 Invalid TACACS+ authorization request packet - possibly malformed packet " error.

Go to solution
harikish21
Level 1
Level 1
In response to harikish21

‎11-12-2020 10:52 PM

I was able to resolve this issue with the help of TAC, it was a mismatch secret. The error message in ISE was misleading. 

 

May be a different issue for you, I pushed the config onto Nexus via DCNM. DCNM expects encrypted key to enter the config, which i copied from a catalyst switch. Looks like the type 7 encryption on Nexus is different than Catalyst switches, when i replaced the key with an encrypted key by Nexus, it worked.

 

FYI, i have not added tacacs key global command and also tacacs source interface global command. All commands were specific to either group or tacacs-server.

 

Good luck with your problem.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents