TACACS+ and Cisco MDS Switches

SAK_Mohan · ‎12-14-2006

I am trying to configure Cisco ACS 4.0 to authenticate Windows domain users who access Cisco MDS Switches but can't seem to get it work. Moreover, the users in Cisco ACS internal database also are not able to login to Cisco switches. Log file says that keys does not match and I have specified the same key in both the places.

Anyboday has any clues as to what could resolve this issue?

somishra · ‎12-15-2006

Check for the secret keys on the AAA device and the ACS server for the client.

somishra · ‎12-15-2006

1) What is the command on the MDS switch for the tacacs server ip address & key ?

Example: tacacs-server host 170.218.54.140 key 7 k5p.Ji9xK

2) Make sure '\' character is not there in the username for MDS

SAK_Mohan · ‎12-15-2006

I am using the same key at both the places and I am not using encryption (7) though I tried it initially. No slash (\) as well in the username. But it comes back saying Login Incorrect when I try it via telnet and "invalid Credentials" via FM&DM....

The commands are....

-------------------------------------------

tacacs+ enable

tacacs-server host XX.XX.XX.XX key secretkey

aaa group server tacacs+ sanmgmtgrp

server XX.XX.XX.XX

aaa authentication login default group sanmgmtgrp

aaa authentication login console local

aaa accounting default group sanmgmtgrp local

end

-------------------------------------------

t.gray · ‎12-21-2006

This may be a stupid questions but can you ping the TACACS server from the switch?

SAK_Mohan · ‎12-22-2006

It may look like a stupid question but actually it is not - need sharp eyes.

I solved the problem. The problem was with Proxy Distribution table.

Thanks All

Mohan