Cisco Community
English
Register
Congratulate December's Spotlight Awardees. CLICK HERE
Register
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

341
Views
0
Helpful
1
Replies
Highlighted
andrea.meconi
Explorer
Explorer
‎06-24-2015 02:17 AM
‎06-24-2015 02:17 AM

Migration from ACS 4.2 to HP iMC TAM Tacacs server.

Good morning.

My customer is migrating from Cisco Secure ACS to HP iMC TAM. The AAA model remains the same, we only change the Tacacs server reference.

 

All works fine with device running IOS 12.X.

With IOS 15.X something changes.

An issue is discovered with the command

 

aaa authorization exec default group CiscoSecureACS local

 

that returns an error message "E65010: Packet content is not supported."

During troubleshooting we applied a workaround introducing the if-authenticated method keyword.

We'll capture the request/response traffic, meantime any suggestions?

Best regards.

Andrea

Labels:
1 person had this problem
0 Helpful
Reply
1 REPLY 1
Highlighted
aromn
Beginner
Beginner
‎10-31-2016 03:56 PM
‎10-31-2016 03:56 PM

We also got this error message after migrating AAA for Cisco IOS, HPE ProVision-based, and HPE Comware-based devices, from CiscoSecure ACS to HPE iMC TACACS Authentication Manager (TAM), by only changing the IP address on the tacacs-server host command. But this error message was only with the PuTTY SSH Client, and only when authenticating to Cisco IOS devices (it did not happen when authenticating to HPE ProVision-based, and HPE Comware-based devices). We got the error message and the PuTTY window suddenly closed. We tried the latest version of PuTTY, and we still got this same error message

After extensive troubleshooting, we concluded that the problem was neither in the Cisco IOS device configuration, nor in HPE iMC. It was just the authentication settings in the SSH client. It seems when integrating Cisco devices with iMC TAM as a TACACS+ server, the keyboard-interactive authentication does not work. You need to change this to password authentication

In PuTTY, the default authentication setting is keyboard-interactive. You can change this by unchecking the Attempt “keyboard-interactive” auth (SSH-2) checkbox under Connection > SSH > Auth (see attachment)

The SSH client from Linux also uses keyboard-interactive authentication by default. However, you can use password authentication with this command:

ssh -o PreferredAuthentications=password <username>@<IP address>

Other SSH clients like F-secure or SecureCRT use password authentication by default, so we don’t have this problem with them

Preview file
71 KB
0 Helpful
Reply
Latest Contents
#CiscoChat Live: Accelerating your security maturation journ...
Created by Kelli Glass on 01-15-2021 04:48 PM
0
0
0
0
Join us live on Tuesday, January 19 at 10:00 am PT (and on demand after) as we discuss the latest version of ATT&CK and the expansion of TTPs in v8.  As a security expert, you are tasked with protecting your environment. You see the value of... view more
#CiscoChat Live: Accelerating your security maturation journ...
Created by Kelli Glass on 01-15-2021 04:46 PM
0
0
0
0
Join us live on Tuesday, January 19 at 10:00 am PT (and on demand after) as we discuss the latest version of ATT&CK and the expansion of TTPs in v8.  As a security expert, you are tasked with protecting your environment. You see the value of... view more
What's New for Cisco Defense Orchestrator (CDO)
Created by Andrew Mallio on 01-15-2021 06:09 AM
1
40
1
40
Cisco Defense Orchestrator (CDO) is a cloud-based, multi-device manager that manages security products like Adaptive Security Appliance (ASA), Firepower Threat Defense next-generation firewall, and Meraki devices, to name a few.  We make improvement... view more
Serious problem with Object Groups + Access Policies in FMC
Created by mhmservice on 01-15-2021 04:31 AM
0
0
0
0
Hi allI've been having a major problem with Object Groups in FMC access policiesIf I have a pre-existing line in a policy with an Object Group which contains a list of IPs, if I add an additional IP to that object group, then deploy, the traffic is still ... view more
No cts dot1x command in interface configuration mode
Created by tanzhy on 01-14-2021 01:49 AM
3
0
3
0
Anyone know why there are no cts dot1x command in interface configure mode?I  just find cts manual and cts role-based command      Hardware is  C9300-48PSoftware is   Cisco IOS XE Software, Version 16.12.04License i... view more
Content for Community-Ad