09-03-2007 05:55 AM - edited 03-10-2019 03:22 PM
I configured the ACS box with a LAN infrastructure client including the correct client ip addresses of the devices, a key and set to authenticate using TACACS+. I configured a test user in the local ACS Internal database. I then configured a switch with the ACS IP address and the correct key. When I then try to login to the switch it fails and the following is logged in in the ACS failed attempts log:
08/29/2007 11:39:22 Authen failed .. Default Group .. (Default) Key Mismatch .. .. .. x.x.x.x.. .. .. .. .. LAN-Switches LAN-Infrastructure
I have triple checked that the keys are correct and yet the reason listed for failure is a key mismatch. I don't know if I've got something wrong in the config or if there is a bug.
Cisco switch config:
aaa new-model
aaa authentication attempts login 5
aaa authentication login default group tacacs+ local
aaa authentication login console local
aaa authentication enable default group tacacs+ enable
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
aaa authorization commands 15 no_tacacs none
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
!
tacacs-server host x.x.x.x
no tacacs-server directed-request
tacacs-server key xxx
radius-server source-ports 1645-1646
ACS version:
CiscoSecure ACS
Release 4.0(1) Build 44
what could be worng
Solved! Go to Solution.
09-03-2007 05:59 AM
Please check,
ACS--->Network configuration----> NDG (where you have this switch) ----> Edit Properties----> Remove key.
NDG key overwrites aaa client key.
Regards
~JG
09-03-2007 05:59 AM
Please check,
ACS--->Network configuration----> NDG (where you have this switch) ----> Edit Properties----> Remove key.
NDG key overwrites aaa client key.
Regards
~JG
09-04-2007 06:22 AM
JG, Many thanks. The issue has been resolved now.
Thanks
01-06-2008 02:58 PM
Thanks jgambhir,
This solved a problem that I was having authenticating Management Access on a WLC4402 controller to an ACS 4.1, my NDG contained the same password that I used for my router devices, and this was my first non router device.
Regards,
Charlie
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide