08-28-2020 05:16 PM
I have been tasked to manually move all devices using TACACS+ authentication on an ACS 5.3.0.40 to ISE 2.6 (Patch 7). I have moved a majority of our switches and routers to ISE successfully and I am currently attempting to move two Nexus 5548 switches. When I change the config on the Nexus 5548 to add the new TACACS server host (ISE) and remove the old ACS hosts, an error pops up in the TACACS+ logs on ISE:
13078 Invalid TACACS+ authorization request packet - possibly malformed packet
The following is the old config on the 5548:
tacacs-server host <ip of ACS host 1> key 7 "shared secret"
tacacs-server host <ip of ACS host 2> key 7 "shared secret"
aaa group server tacacs+ ACS-SERVERS
server <ip of ACS host 1>
server <ip of ACS host 2>
The following is the new config I inputted:
tacacs-server host <ip of ACS host 3> key 7 "shared secret"
aaa group server tacacs+ ACS-SERVERS
server <ip of ACS host 3>
And the aaa section remained untouched:
aaa authentication login default group ACS-SERVERS local
aaa authentication login console group ACS-SERVERS local
aaa authorization config-commands default group ACS-SERVERS local
aaa authorization commands default group ACS-SERVERS local
aaa accounting default group ACS-SERVERS
This is something new to me and I feel lucky that I was able to move the other switches and routers with little issues but I am stumped with these devices. Could there be a bug on the current version of ISE that we have installed or do I have something misconfigured somewhere else?
Solved! Go to Solution.
09-01-2020 04:18 PM
Just to be clear, when you use the 'key 7' option for configuring the shared secret, the switch is expecting the encrypted text for the shared secret. If you are inputting the clear-text shared secret (i.e. 'cisco123) using the 'key 7' option, this will not work.
If you have not already done so, I would suggest removing the tacacs-server configuration and re-configuring it using the following command syntax.
tacacs-server host <ip of ISE> key 0 <clear-text secret>
If that still does not solve your issue, I would suggest opening a TAC case to gather debugs and information necessary to investigate further.
11-12-2020 10:52 PM
I was able to resolve this issue with the help of TAC, it was a mismatch secret. The error message in ISE was misleading.
May be a different issue for you, I pushed the config onto Nexus via DCNM. DCNM expects encrypted key to enter the config, which i copied from a catalyst switch. Looks like the type 7 encryption on Nexus is different than Catalyst switches, when i replaced the key with an encrypted key by Nexus, it worked.
FYI, i have not added tacacs key global command and also tacacs source interface global command. All commands were specific to either group or tacacs-server.
Good luck with your problem.
08-29-2020 06:30 PM
09-01-2020 02:03 PM
Thank you for your advice.
I ran the debug as you suggested when it was pointing to the new ISE host server and took capture of the output. I then did the same when it was pointing to the old ACS servers. I compared the two and there are some differences but not sure what to look for that would be causing the issue.
09-02-2020 07:43 PM
Hi,
could you please share the debug output?
Best regards.
08-30-2020 05:11 PM
Have a look at the Nexus Platform section of the Cisco ISE Device Administration Prescriptive Deployment Guide and compare it to your Nexus and ISE configuration. You may be missing the following option or some other configuration.
aaa authentication login ascii-authentication
09-01-2020 01:56 PM
Thank you for your advice. I inputted your suggestion in the appropriate section and it still did not work.
08-30-2020 08:37 PM
Check if you have configured tacacs global shared secret key using below command:
tacacs-server key 7 "xxxxxx"
If it is there then remove it and test again.
09-01-2020 01:54 PM
Thank you for your advice. The following command is what we have inputted for the ACS servers:
tacacs-server host <ip of ACS host 1> key 7 "shared secret"
tacacs-server host <ip of ACS host 2> key 7 "shared secret"
aaa group server tacacs+ ACS-SERVERS
server <ip of ACS host 1>
server <ip of ACS host 2>
When I input the new ISE server (and removed the old ACS servers) along with adding it to the aaa TACACS+ group server, it did not work:
tacacs-server host <ip of ACS host 3> key 7 "shared secret"
aaa group server tacacs+ ACS-SERVERS
server <ip of ACS host 3>
09-01-2020 04:18 PM
Just to be clear, when you use the 'key 7' option for configuring the shared secret, the switch is expecting the encrypted text for the shared secret. If you are inputting the clear-text shared secret (i.e. 'cisco123) using the 'key 7' option, this will not work.
If you have not already done so, I would suggest removing the tacacs-server configuration and re-configuring it using the following command syntax.
tacacs-server host <ip of ISE> key 0 <clear-text secret>
If that still does not solve your issue, I would suggest opening a TAC case to gather debugs and information necessary to investigate further.
11-12-2020 09:15 PM
Hi Glen, did you find your luck? I am facing the same issue with Nexus 9K switches with ISE 2.7, tried all the suggestions provided in this group. ISE logs " 13078 Invalid TACACS+ authorization request packet - possibly malformed packet " error.
11-12-2020 10:52 PM
I was able to resolve this issue with the help of TAC, it was a mismatch secret. The error message in ISE was misleading.
May be a different issue for you, I pushed the config onto Nexus via DCNM. DCNM expects encrypted key to enter the config, which i copied from a catalyst switch. Looks like the type 7 encryption on Nexus is different than Catalyst switches, when i replaced the key with an encrypted key by Nexus, it worked.
FYI, i have not added tacacs key global command and also tacacs source interface global command. All commands were specific to either group or tacacs-server.
Good luck with your problem.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: