cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
6146
Views
5
Helpful
16
Replies

ACS 5.2 with tacacs+ can't support Alcatel switch.

chaoping chen
Level 1
Level 1

I have Some Alcatel Switch and I want to use ACS 5.2's tacscs+ for Alcatel Switch admin authentication.

the Failure Reason:13011 Invalid  TACACS+ request packet - possibly mismatched Shared Secrets

But I was check the share secret is correct.

Before I was tried associated ACS with vision 4.2 is work.

Pls review attachment for the ACS report.

Pls give me suggest.

1 Accepted Solution

Accepted Solutions

d.aznar
Level 1
Level 1

Hello,

Can't give you answer, but witch alcatel model/version do you run?

I have the same problem, with, OS6250 (6.6.1.636.R01) and acs5.2 unpatched. I looking for alcatel or acs bugtrack

have you reviewd: PR 144246 on:

http://www.alcadisipsolutions.nl/files/Support_files/Alcatel-Lucent/OmniSwitch/OS6250/Firmware/OS6250%20AOS%206.6.1%20-%206250%20+%206250M%20models/OS6250%20AOS%206.6.1.739%20R01/OS6250%20AOS%206.6.1.739%20R01%20Release%20Notes.pdf

david

View solution in original post

16 Replies 16

d.aznar
Level 1
Level 1

Hello,

Can't give you answer, but witch alcatel model/version do you run?

I have the same problem, with, OS6250 (6.6.1.636.R01) and acs5.2 unpatched. I looking for alcatel or acs bugtrack

have you reviewd: PR 144246 on:

http://www.alcadisipsolutions.nl/files/Support_files/Alcatel-Lucent/OmniSwitch/OS6250/Firmware/OS6250%20AOS%206.6.1%20-%206250%20+%206250M%20models/OS6250%20AOS%206.6.1.739%20R01/OS6250%20AOS%206.6.1.739%20R01%20Release%20Notes.pdf

david

I runing by Switch type OmniSwitch 6850 and software version 6.3.1.1085.R01.

Hello,

I have updated the ACS ysesterday with Update-8 package (5.2.0.26-8), same problem while tring to authenticate on the Alcatel Switch.

I just changed switch config to bind aaa authentication to an old Acs 3.2. Authentication was sucessful.

I think on a ACS 5.2 problem.

Hello,

For the shared secret value, is it configured to use the pound sign (#)? For example: cisco#123

If yes, can you change the secret key value on both the Alcatel OmniSwitch and ACS AAA Client Entry with a new shared secret without the # sign? Test authentication again and share the results.

NOTE: If it is using any other special characters can you change it to a test key, "cisco" for example on both sides?

Regards.

Hello Carlos,

I have tested with a leak shared secret and the authentication was still unsucessefull.

but while trying with no shared password, it worked...

I think on a problem while exchanging chared secret.

But as it seems to work on a ACS 3.2, I still beleave on Acs 5.2 error.

I'm still investigating.

BR.

Hi,

A good approach at this point would be to configure a SPAN port (Packet Capture) on the ACS switchport and analyze the TACACS+ and TCP packets. Using Wireshark > Edit > Preferences > Protocols > TACACS+ > TACACS+ Encryption Key > type the shared secret value. This will allow you to review the unencrypted packets.

A capture using a Shared Secret and also another one without a key might be helpful in order to compare both the failure and the success.

Regards.

I'll get the traces tomorrow and give you a feedback.

Thanks.

Hello,

we have same issues on 6850 and ACS 5.3.0.40.8 which is the 5.3 version with latest updates installed. We have to migrate from 4.2 to 5.3. In version 4.2 all is running and it works fine. Since we try to set up the 5.3 version Omnis failing.

Which Software Release was used on your 6850s (we have on few switches 6.4.4.597.R01 in use and main part of our network 6.4.3.717.R01). Both software versions are refusing the connections after succesful authentication through ACS 5.3. We configured later the ACS and the Omnis with "empty" keys after that the ACS refused the authentication with the message "The TACACS+ request packet was invalid. A likely reason is that the Shared Secret configured in the device and the Shared Secret configured for the Network Device or AAA Client in ACS do not match".

Would be great if you can assist me in how to get this crappy devices to run. Are there special configurations parameters, that must be in place? Special policies or something else?

Alcatel is refusing support and points on Cisco as the origin of the problem so I have to open a additional TAC case now, before they will do any support on their software and devices.

With kind regards

Stefan Bischoff

Hi Stefan

Do you know any Radius or Tacacs+ server is supporting the ALU switches ? 

Because we only using those devices in our company .

 

 

thanks 

Kaifeng

Hi Kaifeng,

 

the Cisco ACS 5.x will support the Alcatel Omnis with Radius, but if you want to use it with TACACS it will not work. If you decide to use the Radius implementation you have to create the VSA dictionary for authentication AND authorization the user. Additional task is to create the right sequences and order in the policies. The VSA dictionary can be taken directly from ALU Support.

 

Kind regards

 

Stefan

Thanks you for giving me a direction to solving the case.

So I did it since upgrading the OS of the switch.

Hello,

Good news, bad news...

I finaly trace the tacacs authentication between :

- ACS5.2 and alcatel with no shared secret

- ACS5.2 and alcatel with shared secret "cisco"

- ACS3.2 and alcatel with shared secret

Unfortunatly, I discover that alcatel seems to encrypt the tacact connexion with an other shared password, because wireshark is not able to decrypt tacacs+ authentication request (wireshark analysis gives "packet malformed").The result of the bad encryption is that the ACS 5.2 does'nt reply to the request. It only acknowledge the packet, without tacacs reply, so th the alcatel send a session FIN.

I have tested the authentication with alcatel and acs 3.2 with a no null secret shared. the difference between 3.2 and 5.2 is that acs 3.2 continue the session sending an tacacs+ password request, even if the shared secret seems different.

Working with this analysis, I asked my support to give me a alcatel update package.

I now beleave that ACS 5.2 is just more strict with tacacs+ protocol than ACS3.2, and that's the reason of authentication fail.

I'll post the next step when i will be able to test with the alcatel update.

BR

David

Hello David,

Insteresting details indeed. I am looking forward for your response after applying the update to the Alcatel switch.

It seems we are on the right track with this issue now.

Regards.

Hello,

My last post has not been recorded.

For your information, I Upgraded the Alcatel Switch to 6.6.1.859.R01

The result is that the authentication is now sucessful. The problem was on the switch version (2009).

BR,

David

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: