cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

401
Views
0
Helpful
1
Replies
andrea.meconi
Explorer

Migration from ACS 4.2 to HP iMC TAM Tacacs server.

Good morning.

My customer is migrating from Cisco Secure ACS to HP iMC TAM. The AAA model remains the same, we only change the Tacacs server reference.

 

All works fine with device running IOS 12.X.

With IOS 15.X something changes.

An issue is discovered with the command

 

aaa authorization exec default group CiscoSecureACS local

 

that returns an error message "E65010: Packet content is not supported."

During troubleshooting we applied a workaround introducing the if-authenticated method keyword.

We'll capture the request/response traffic, meantime any suggestions?

Best regards.

Andrea

1 REPLY 1
aromn
Beginner

We also got this error message after migrating AAA for Cisco IOS, HPE ProVision-based, and HPE Comware-based devices, from CiscoSecure ACS to HPE iMC TACACS Authentication Manager (TAM), by only changing the IP address on the tacacs-server host command. But this error message was only with the PuTTY SSH Client, and only when authenticating to Cisco IOS devices (it did not happen when authenticating to HPE ProVision-based, and HPE Comware-based devices). We got the error message and the PuTTY window suddenly closed. We tried the latest version of PuTTY, and we still got this same error message

After extensive troubleshooting, we concluded that the problem was neither in the Cisco IOS device configuration, nor in HPE iMC. It was just the authentication settings in the SSH client. It seems when integrating Cisco devices with iMC TAM as a TACACS+ server, the keyboard-interactive authentication does not work. You need to change this to password authentication

In PuTTY, the default authentication setting is keyboard-interactive. You can change this by unchecking the Attempt “keyboard-interactive” auth (SSH-2) checkbox under Connection > SSH > Auth (see attachment)

The SSH client from Linux also uses keyboard-interactive authentication by default. However, you can use password authentication with this command:

ssh -o PreferredAuthentications=password <username>@<IP address>

Other SSH clients like F-secure or SecureCRT use password authentication by default, so we don’t have this problem with them

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel