11-01-2024 12:42 PM
Hi ,
I am having trouble configuring TACACS in cisco IR 1101-k9. (17.10.01a)
While adding key to the tacacs its not getting encrypted. Device is AES enabled.
"key 0 <CLEAR TEXT>" or "Key <CLEAR TEXT>" only these two command line device is accepting but passwords are not encrypted.
When I am trying to add "key 7 <CLEAR TEXT>" , device is replying with error : %Invalid encrypted key: <CLEAR TEXT>
Kindly suggest how to solve this.
Please find below config
----------------------------------------------------------------------------------------------------
!
aaa new-model
aaa group server tacacs+ <NAME>
server name <NAME>
ip tacacs source-interface Loopback0
aaa authentication login default group <NAME> Local-case
aaa authorization exec default group <NAME> if authenticated
!
!
tacacs server <NAME>
address ipv4 <IP>
key <CLEAR TEXT>
timeout 20
11-01-2024 12:46 PM
11-04-2024 05:28 AM
Thanks , i can encrypt the password. But TACACS still not working.
11-04-2024 05:31 AM
Right, can you please share the "show running-config" here. Let me take a look on your config.
If you dont want to show all config, you can run
show run | i aaa
11-04-2024 06:38 AM
Please make sure you apply the method list <NAME> to your VTY and/or console lines, otherwise TACACS won't take effect. Example:
line vty 0 4
login authentication <NAME>
authorization exec <NAME>
If those were applied and it still doesn't work then please check the logs on the TACACS server to see why is failing, it could be a policy mismatch or a wrong profile attributes. Also as a side note, please note that using "local-case" keyword as a fallback requires typing the local usernames in case sensitive.
11-04-2024 03:46 AM
When you try to add key 7 password you need to type/paste the already encrypted type 7 password. If you try to use key 7 or any encrypted type password with a clear text password it will return an error. If after you add your clear password the device is still showing it in clear text then as already suggested you should turn on "service password-encryption" which will show the clear text passwords in their encrypted format. Please note that some of the passwords such as the enable password will never be shown in clear text, and that is by default.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide