cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
203
Views
1
Helpful
5
Replies

Cisco IR 1101-k9 TACACS Configuration issue

aparna0123
Level 1
Level 1

Hi ,

I am having trouble configuring TACACS in cisco IR 1101-k9. (17.10.01a)

While adding key to the tacacs its not getting encrypted. Device is AES enabled.

"key 0 <CLEAR TEXT>"  or "Key <CLEAR TEXT>" only these two command line device is accepting but passwords are not encrypted.

When I am trying to add "key 7 <CLEAR TEXT>" , device is replying with error : %Invalid encrypted key: <CLEAR TEXT>

Kindly suggest how to solve this.

Please find below config

 

----------------------------------------------------------------------------------------------------

!

aaa new-model

aaa group server tacacs+ <NAME>

   server name <NAME>

   ip tacacs source-interface Loopback0

aaa authentication login default group <NAME> Local-case

aaa authorization exec default group <NAME> if authenticated

!

!

tacacs server <NAME>

 address ipv4 <IP>

 key <CLEAR TEXT>

 timeout 20

 

5 Replies 5

@aparna0123 

 Try to enable "service password-encryption"

conf t

service password-encryption

Thanks , i can encrypt the password. But TACACS still not working. 

Right, can you please share the "show running-config" here.  Let me take a look on your config.

If you dont want to show all config, you can run

show run | i aaa

Please make sure you apply the method list <NAME> to your VTY and/or console lines, otherwise TACACS won't take effect. Example:

line vty 0 4
   login authentication <NAME>
   authorization exec <NAME>

If those were applied and it still doesn't work then please check the logs on the TACACS server to see why is failing, it could be a policy mismatch or a wrong profile attributes. Also as a side note, please note that using "local-case" keyword as a fallback requires typing the local usernames in case sensitive.

When you try to add key 7 password you need to type/paste the already encrypted type 7 password. If you try to use key 7 or any encrypted type password with a clear text password it will return an error. If after you add your clear password the device is still showing it in clear text then as already suggested you should turn on "service password-encryption" which will show the clear text passwords in their encrypted format. Please note that some of the passwords such as the enable password will never be shown in clear text, and that is by default.