cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
664
Views
0
Helpful
4
Replies
Participant

Issues with TACACS authentication

i'm having issues with TACACS authentication,

What is the issues 

 

SWMY00721FA-01#test aaa group tacacs+ k****** 0****** legacy
Attempting authentication test to server-group tacacs+ using tacacs+
No authoritative response from any server.

SWMY00721FA-01#
*Mar 2 12:22:54.889: TAC+: send AUTHEN/START packet ver=192 id=-187719729
*Mar 2 12:22:54.889: TAC+: Using default tacacs server-group "tacacs+" list.
*Mar 2 12:22:54.889: TAC+: Opening TCP/IP to 10.5.193.143/49 timeout=10
*Mar 2 12:22:54.931: TAC+: Opened TCP/IP handle 0x5CE687C to 10.5.193.143/49 us ing source 10.51.158.3
*Mar 2 12:22:54.931: TAC+: 10.5.193.143 (4107247567) AUTHEN/START/LOGIN/ASCII q ueued
*Mar 2 12:22:55.032: TAC+: (4107247567) AUTHEN/START/LOGIN/ASCII processed
*Mar 2 12:22:55.032: TAC+: received bad AUTHEN packet: type = 0, expected 1
*Mar 2 12:22:55.032: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys) .
*Mar 2 12:22:55.040: TAC+: Closing TCP/IP 0x5CE687C connection to 10.5.193.143/ 49
*Mar 2 12:22:55.040: TAC+: Using default tacacs server-group "tacacs+" list.
*Mar 2 12:22:55.040: TAC+: Opening TCP/IP to 10.7.193.143/49 timeout=10
*Mar 2 12:22:55.049: TAC+: Opened TCP/IP handle 0x5CE8DC4 to 10.7.193.143/49 us ing source 10.51.158.3
*Mar 2 12:22:55.049: TAC+: 10.7.193.143 (4107247567) AUTHEN/START/LOGIN/ASCII q ueued
*Mar 2 12:22:55.149: TAC+: (4107247567) AUTHEN/START/LOGIN/ASCII processed
*Mar 2 12:22:55.149: TAC+: received bad AUTHEN packet: type = 0, expected 1
*Mar 2 12:22:55.149: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys) .
*Mar 2 12:22:55.149: TAC+: Closing TCP/IP 0x5CE8DC4 connection to 10.7.193.143/ 49
*Mar 2 12:22:55.149: TAC+: Using default tacacs server-group "tacacs+" list.
SWMY00721FA-01#

1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: Issues with TACACS authentication

1. Please make sure you have used the correct protocol (PAP/CHAP).

2. Look at the ISE server TACACS logs and see what is going on. If ISE does not receive packets or drops packets then it could be wrong shared secret.

3. Make sure your TACACS+ auth policy is configured correctly.  Use the correct username/password etc for authentication

Here is the latest guide uploaded that can help you.

 

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

 

-Krishnan

 

4 REPLIES 4
VIP Advisor RJI VIP Advisor
VIP Advisor

Re: Issues with TACACS authentication

Hi,

With this error:-

*Mar 2 12:22:55.032: TAC+: received bad AUTHEN packet:

I'd say the shared secret was incorrect, check this is the same on the switch/router and on the ISE/ACS server, under the Network Device object.

 

HTH

Cisco Employee

Re: Issues with TACACS authentication

Please verify shared secret

Invalid AUTHEN/START/LOGIN/ASCII packet (check keys) 

 

Regards

Beginner

Re: Issues with TACACS authentication

Hi there
Pretty sure it's the key...
Don't start with a complex password, try something simple first, that worked for me !
Costas
Highlighted
Cisco Employee

Re: Issues with TACACS authentication

1. Please make sure you have used the correct protocol (PAP/CHAP).

2. Look at the ISE server TACACS logs and see what is going on. If ISE does not receive packets or drops packets then it could be wrong shared secret.

3. Make sure your TACACS+ auth policy is configured correctly.  Use the correct username/password etc for authentication

Here is the latest guide uploaded that can help you.

 

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365

 

-Krishnan