CiscoSecure on Unix - TACACS server key issue

bduffey · ‎08-17-2004

Pretty basic problem, but I've not played with ACS on UNIX before and need some pointers of where I should start looking.

Basically have Cisco switches and routers confiugured with the tacacs-server key. The key is configured the same on the server, but whenever a connection is attemtped, aaa debugs say the connection fails and to check the keys.

If I don't use any keys - then I can connect OK.

One other interesting thing which may or may not be related is that if don't use the tacacs key, then I can authenticate but only if the user profile is set to use no password. If they require a password, then they also fail. Seems suspiciously related to me, like there is some generic password hashing problem.

Any ideas????

flyingmunk · ‎08-19-2004

ninety-nine percent of the time, when you get the 'check keys' error, it means that the key on the router does not match the key that you used on the acs server.

use something real simple, like 'cisco123'. don't cut and paste this in. make sure you type it in.

thanks,

chris

vimal1980 · ‎08-19-2004

Hi!

If you are using unix based Tacacs server. There will be file called tac_plus.cfg. The file is doing the authentication and authorization etc. In that file only you are spcifying the key field

key = cisco

you should not use quotes " " for names. If you are using the spaces in the keys like cisco 123 then that shuld be identified in the quotes like "cisco 123"

HTH.

Rgds

Vimal

flyingmunk · ‎08-21-2004

if you are using the cisco secure acs unix server, then that file does not exist. you must be talking about tacacs+, which cisco helped author, but no longer supports.

thanks,

chris