ACE ACS TACACS+ Key Mismatch issue

Goodday,
I have an issue when trying to setup ACE Modules for TACACS+ and AAA autentication whereby the Failed Authentication reports, state the reason as "Key Mismath".
We have confirmed that the key we are using is the same on the ACE and on the ACS.
The question I have is as follows:
Should the key we enter on the ACE remain as we have typed it, so if we enter mysharedkey as the key should this show as such in the running config or should it show as encrypted? Currently it shows in the running as we have entered it but just adds the 7 before the key and places the key in inverted commas.
So config entered something like this:
tacacs-server host 10.10.10.10 key mysharedkey
aaa group server tacacs+ acs_pri
server 10.10.10.10
aaa authentication login default group acs_pri local none
BTW, we are running version 2.1.4(a).
Thanks for any assitance with this.
Paul

Hi Kevin,
Thanks for the reply. I can confirm we have the "ssh key rsa 1024 force". I even tried removing and re-issueing the command.
On the point of the show run revealing the something encrypted instead of the actual TACACS key, this is not what we see, we see the actual key we entred.
This is my concern.
We managed to get his working by checking on the production ACE modules and production ACS, using the "encryped" key we see in that "show run" and locating the key in the production ACS config (which was not under the ACE NDG, but under the ACS server itself's config, which also looks like something encrypted) and using this in the NDG config as the key for our ACE NDG on the test ACS.
The problem arises that every six months or so, securiy requirement, the keys change, and how will we then know what to apply on the ACE if it does not apply the encyption of the key we enter itself.
See my problem...
Thanks again for the assistance and any further guidance would be appreciated.
Paul.

Similar Messages

  • ACE 4710 A3(2.0) and ACS - TACACS+

    Hi.
    I am having trouble getting my ACE 4710 (A3(2.0) Build 3.0) to cooperate with my Cisco Secure ACS-server. In the same environment I have it working on my ACE Module, with the same configuration.
    ACE 4710:
    tacacs-server host 10.7.50.20 key 7 "fewhg"
    aaa group server tacacs+ tacacs_server_group
        server 10.7.50.20
        deadtime 15
    aaa authentication login default group tacacs_server_group local none
    aaa accounting default group tacacs_server_group local
    aaa authentication login error-enable
    ACS is configured correctly too. I have tried with several users, both in groups, with and without attributes and so forth. The ACS installation works with other devices and with my ACE modules running A2(3.1). I have tried this on both ACS 4.2(0).124 and 4.2(1).15.
    The strange part is what I see when I set up Wireshark on my ACS-server to look at the traffic. From what I can see, the ACE only sends a request to the AAA-server if the user exists locally. But I do not get authenticated and Failed Attempts show a line with with Message-Type: "Unknown NAS".
    It seems like others have the same problem. The problem is that the link attacked in the topic beneath only leads me back to forum and not to a topic with solution.
    https://supportforums.cisco.com/thread/132445?decorator=print&displayFullThread=true#132445
    Any help is appreciated and thanks in advance!

    are you using telnet or ssh ?
    if ssh can you try telnet, allow telent on your management policy to do this. Then if it works via telnet , then try ssh again, if it now works then you have hit CSCsu36078
    http://tools.cisco.com/squish/03240

  • ACE with TACACS+ Issue

    Trying to get ACE module and IOS devices to work with TACACS+. I have ACS v3.2.
    The "optional" syntax does not work. Any idea if the argument is valid for the ACS version ?
    service=exec
    optional shell:Admin=Admin domain
    Tried it with quotations but that didn't work either.

    Hi,
    Here is a reference doc for configuring ACE for Tacacs+ authentication,
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.0
    0_A1/configuration/security/guide/aaa.html#wp1321891
    Under custom attribute for Tacacs+ we need to specify attribute as,
    shell:Admin*ADMIN MYDOMAIN1
    = means mandatory attribute
    * means optional
    Information on context/role/domain (Virtualization on ACE):
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.0
    0_A1/configuration/virtualization/guide/ovrview.html
    Default "role" on ACE:
    http://www.cisco.com/en/US/docs/interfaces_modules/services_modules/ace/v3.0
    0_A1/configuration/virtualization/guide/ovrview.html#wp1051297
    HTH
    JK
    Plz rate helpful posts-

  • ACE and TACACS+ auth

    I'm having to use the free TACACS+ in an environment to configure authentication for all the network devices.  I have all the routers and switches working just fine, but am having issue with getting the ACE to use TACACS.  I've configured ACE to authenticate to an ACS server by adding the additional shell custom attributes (shell:Admin*Admin default-domain) and this worked fine.  I found in some documentation on TACACS+ that described how to add this similar attribute to the tac_plus.conf file, but it doesn't seem to want to work. My aaa config from the ACE as well as the tac_plus.conf file content below.  I know the AAA is working with this TACACS server as the accounting functions properly.
    ACE AAA
    tacacs-server host 10.1.0.202 key 7 <removed>
    aaa group server tacacs+ TAC_AUTH
      server 10.1.0.202
    aaa authentication login default group TAC_AUTH local
    aaa authentication login console group TAC_AUTH local
    aaa accounting default group TAC_AUTH local
    tac_plus.conf
    # Accounting Logs
    accounting file = /data/tacacs.log
    # Server Key
    key = <removed>
    # ACL
    acl = auth_routers {
                          permit = .*
    # Groups
    group = admin {
        login = file /etc/passwd
        acl = auth_routers
        service = exec {
                         optional shell:Admin = "Admin default-domain"
    # Users
    user = admin1 {
         default service = permit
         member = admin
    user = admin2 {
         default service = permit
         member = admin
    user = admin3 {
         default service = permit
         member = admin

    Anyone?

  • ACS 5.0 having issues with different subnet AAA Clients

    Dear All,
    I am getting weird issue. My ACS 5.0 is in subnet 10.1.1.0/24. All the AAA clients which are in the same subnet can communicate with the ACS but different subnet cannot.
    I have checked the firewall between them, Its allow any any with all services.
    One more thing I have faced today is that now from only one switch (10.1.2.10) can access ACS but switches in the same subnet (10.1.2.0/24) cant access ACS as same previous issue.
    Following are the logs of one switch(10.1.2.10) in different subnet can access ACS :
    Working Switch with Same configuration:
    SW-A#test aaa group tacacs+ test cisco legacy
    Attempting authentication test to server-group tacacs+ using tacacs+
    User was successfully authenticated.
    SW-A#
    *Nov 17 00:05:52.041: AAA: parse name=<no string> idb type=-1 tty=-1
    *Nov 17 00:05:52.041: AAA/MEMORY: create_user (0x1B1FD04) user='test' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
    *Nov 17 00:05:52.041: TAC+: send AUTHEN/START packet ver=192 id=3237327729
    *Nov 17 00:05:52.041: TAC+: Using default tacacs server-group "tacacs+" list.
    *Nov 17 00:05:52.041: TAC+: Opening TCP/IP to 10.1.1.2/49 timeout=5
    *Nov 17 00:05:52.041: TAC+: Opened TCP/IP handle 0x1B44D48 to 10.1.1.2/49
    *Nov 17 00:05:52.041: TAC+: 10.1.1.2 (3237327729) AUTHEN/START/LOGIN/ASCII queued
    SW-A#
    *Nov 17 00:05:52.243: TAC+: (3237327729) AUTHEN/START/LOGIN/ASCII processed
    *Nov 17 00:05:52.243: TAC+: ver=192 id=3237327729 received AUTHEN status = GETPASS
    *Nov 17 00:05:52.243: TAC+: send AUTHEN/CONT packet id=3237327729
    *Nov 17 00:05:52.243: TAC+: 10.1.1.2 (3237327729) AUTHEN/CONT queued
    *Nov 17 00:05:52.444: TAC+: (3237327729) AUTHEN/CONT processed
    *Nov 17 00:05:52.444: TAC+: ver=192 id=3237327729 received AUTHEN status = PASS
    *Nov 17 00:05:52.444: AAA/MEMORY: free_user (0x1B1FD04) user='test' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
    Logs from the same subnet switch (10.1.2.20) which cannot access ACS:
    SW-B#test aaa group tacacs+ test cisco legacy
    Attempting authentication test to server-group tacacs+ using tacacs+
    No authoritative response from any server.
    SW-B#
    *Oct 20 00:54:12.834: AAA: parse name=<no string> idb type=-1 tty=-1
    *Oct 20 00:54:12.842: AAA/MEMORY: create_user (0x1A6F3F0) user='test' ruser='NULL' ds0=0 port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 initial_task_id='0', vrf= (id=0)
    *Oct 20 00:54:12.842: TAC+: send AUTHEN/START packet ver=192 id=3281146755
    *Oct 20 00:54:12.842: TAC+: Using default tacacs server-group "tacacs+" list.
    *Oct 20 00:54:12.842: TAC+: Opening TCP/IP to 10.1.1.2/49 timeout=5
    *Oct 20 00:54:12.842: TAC+: Opened TCP/IP handle 0x1B1E888 to 10.1.1.2/49
    *Oct 20 00:54:12.842: TAC+: 10.1.1.2 (3281146755) AUTHEN/START/LOGIN/ASCII queued
    SW-B#
    *Oct 20 00:54:12.943: TAC+: (3281146755) AUTHEN/START/LOGIN/ASCII processed
    *Oct 20 00:54:12.943: TAC+: received bad AUTHEN packet: type = 0, expected 1
    *Oct 20 00:54:12.943: TAC+: Invalid AUTHEN/START/LOGIN/ASCII packet (check keys).
    *Oct 20 00:54:12.943: TAC+: Closing TCP/IP 0x1B1E888 connection to 10.1.1.2/49
    *Oct 20 00:54:12.943: TAC+: Using default tacacs server-group "tacacs+" list.
    *Oct 20 00:54:12.943: AAA/MEMORY: free_user (0x1A6F3F0) user='test' ruser='NULL' port='' rem_addr='NULL' authen_type=ASCII service=LOGIN priv=1 vrf= (id=0)
    Waiting for your responses.
    Regards,
    Anser

    Ok, cool,
    So this usually means that the switch is sourcing the requests from a difernet interface that is configured on the ACS.
    I would guess that the ACS is reporting unknown NAS...
    Can you please use the "ip tacacs source-interface" command to make sure the switch will source the Tacacs+ packets from the interface with the IP address for which you have the ACS configured to?
    HTH,
    Tiago
    If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

  • Loss of TACACS key after harddisk failure

    Our WAE/WAVEs in the field are configured for TACACS Autherntication. During harddisk failures we could not access the devices. The ACS logs a invalid TACACS secret. In running-config the "tacacs key ****" statement is missing.  The statement still could be found in the startup-config.
    Is the "tacacs key" statement dependent on the harddisk?

    Hello,
    The internal WAAS TACACS setup causes a vicious circle. Authentication is required to access a devices for troubleshooting. But Authentications fails with a strict TACACS policy. In the meanwhile we find out the we can access the WAVE/WAE  when  authentication failover is disabled. With this change the WAE switches to the backup authentication method even when the password is wrong. This workaround allows access during disk failure situations. The workaround is in conflict with a our security policy and we now are checking via TAC if the WAE behavior is a feature or a bug.
    Kind regards Peter

  • Mass-Change TACACS+ Key

    We're using CS ACS 3.3. We've been asked to change all of the TACACS+ keys for all of our switches (approximately 900+ devices).
    We can use CiscoWorks to change the keys on all of the devices, but is there any way to mass-change the TACACS+ key in the ACS for our devices? We're using Network Device Groups, but best I can see, it's not possible to add a AAA client and define certain characteristics in a generic group profile that gets inherited by all configured devices (such as a universal TACACS+ key for all devices in the group).
    Thanks!

    I saw the previous post about using RDBMS sync and I'm looking into that.
    Best that I can tell, we don't have any properties that are inherited by the entire group. I haven't been able to find a way to look at any properties for the NDG. Is it possible to change the inherited key after the group has been created?
    Thanks!

  • GL Balance mismatch issue in biw

    Dear All,
    We are facing GL balance mismatch issue in our biw production. Please suggest will be corrected this. Please look the attachments.
    Regards,
    Subhash

    From which table of DSO are you fetching data ,the type of delta in your DSO is AIED, if its not properly sequenced, the data will be wrong, there can be multiple records with same key in one request ,properly analyze, compare the change log of this record with the active table and infocube,you will clearly understand what happened,its the way to analyze.

  • Key shortcut, issue, typing something in editing code and changing language going directly to snippets.

    Key shortcut, issue, typing something in editing code and changing language going directly to snippets.
    So the problem is that I have to click in the editing code again to write in different language, which it didn't happened before.
    Just in case of shortcut keys collision I completly removed the shortcut of snippets from shift+F9, nothing changed. I really can't understand why when I press Alt+Shift to change language it goes straight to the snippets.
    If anyone can help would save me from nervous breakdown! 
    Thanks,
    GKD

    Since this appears to be a "just started happening" issue, have you tried clearing the program cache?
    Deleting a corrupted cache file
    That tends to catch a lot of weird behaviors and straighten them out.

  • Latitude e7450 - Repeating Keys/Debouncing Issue is present in this model too

    Not sure how to get attention to this, as I do not think Dell is aware of this problem since this model was only released a month ago.  The repeating keys/debouncing issue described here  , is present in this new model Latitude e7450 in both bios A00 and A01.  Please make this bug known, so that Dell is able to fix it in a bios update!

    So, I also found and posted in this thread  about the issue with the E7450
    and basically that is the aggregation of all the posts on this repeating keys/debouncing issue on ALL affected models.  Honestly as a developer, I'm pretty shocked at how bad Dell support really is.  I've been lucky enough to never have any hardware issues until now...
    They chose to have a forum for their customer service, fine; that works with many other companies. But they should have at least split the forums into laptop series,by model number, have a bug tracker and paid more than 1 guy to relay issues to the engineering team.. This is ridiculous and utter chaos reading through these threads and it is enough to make me question buying a high priced Dell ever again.  Like many people I went with Dell Latitude after Lenovo created that awful macbook-like clickable touchpad, but it looks like their 2015 models are bringing back hardware left/right click buttons again so that might be my next purchase.

  • Serious Keyboard Key Mapping Issue

    Hi there everyone...
    Yesterday evening, while i was watching a movie on my Macbook, i accidentally pressed the command button, and all of a sudden the movie stopped playing.
    After some research on the internet, I activated the keyboard palette, and found out that several keys had issues
    1. The left command button behaved as if i was pressing command + . (period key)
    2. The right command button behaved like command + up arrow key
    3. The up arrow key like issue 2 above
    4. The period key like issue 1 above
    p.s. the up arrow and period keys arent working at all, they just behave as i explained above
    Since it had to do with a modifier key, i tried to change the modifier key settings, but even though i tried accessing the modifier key settings through preferences, no pop-up window opened and no change could be made.
    Even though i tried a PRAM zapping, nothing happened because as i understand it, the system doesnt recognise the shortcut, since together with command,option,p,r, the period key is seen pressed as well.
    If anyone can help please do!
    Thanks for your time everyone,

    So I booted from the install disk.... Didnt now what exactly to do, so i use the terminal to see if the problem with the keys persisted... And unfortunately it did.... Didnt know what to do next so i quit and booted again...
    But i restarted my macbook, only to boot into hardware test mode, to see if the problem really is on hardware side.
    I am running an extended test, but poking around a bit, i noticed that the up arrow key worked fine...
    Waiting now to see the results from the test, which i will post after it's finished.

  • Type mismatch issue

    1) create package spec with two record type. Note : 1 attribute common in both the types
    CREATE OR REPLACE PACKAGE gfstm_parm_test AS
    TYPE g_rec_1 IS RECORD
    (ship_type_flag varchar2(1),
    reason_code_flag varchar2(1)
    TYPE g_rec_2 IS RECORD
    (ship_type_flag varchar2(1),
    cost_by_supplier_flag varchar2(1)
    end gfstm_parm_test ;
    2) create procedure with one of the record type. i.e g_rec_1
    create or replace procedure test_rec_type_pr(i_rec_var IN gfstm_parm_test.g_rec_1) is
    begin
    dbms_output.put_line(i_rec_var.ship_type_flag);
    end;
    3) execute the below block for g_rec_1 by calling procedure test_rec_type_pr
    ans: works
    Requirement: The same procedure WITHOUT ANY MODIFICATION to be used for the other type g_rec_2 as input parameter and should print 'a'. But getting type mismatch issues.
    How to make it to work ?
    declare
    l_rec_1 gfstm_parm_test.g_rec_1;
    l_rec_2 gfstm_parm_test.g_rec_2;
    begin
    l_rec_2.ship_type_flag := 'a';
    test_rec_type_pr(l_rec_2);
    end;
    Thanks,
    Vinodh

    Seems you'll have to uncomment something (as Solomon says, types are not defined to be intermixed at will)
    declare
    l_rec_1 gfstm_parm_test.g_rec_1;
    l_rec_2 gfstm_parm_test.g_rec_2;
    begin
      l_rec_2.ship_type_flag := 'a';
      l_rec_1.ship_type_flag := l_rec_2.ship_type_flag;
      l_rec_1.reason_code_flag := ''  -- or whatever ...
      test_rec_type_pr(l_rec_1);
    end;Regards
    Etbin

  • Activation key mismatch - Professional vs Ultimate G550 XP upgrade to Win 7

    i have a problem with pages dropping off when writing text.  i can bring the page back moving the mouse. big pain... i got as far as the "activation key mismatch" notice and a cold boot was done. it also ref. download newest drivers. i went to that link and found that they were not avail. ref. apache tomcat / 6.0.18 i went to that site but could not read info about download. is this what i need? i dont want to install the wrong thing. thanks, ml

    Thanks for responding hatter-- The problem, though, is I can't even install W7 once.
    The upgrade key won't let me do a fresh install, and I can't boot from CD to do it, either (although this has worked for other CDs, including the old XP CD.)

  • KEY PRESS ISSUES

    I own a Pre Plus on Verizon. I have read the numerous posts describing issues with keyboard key press difficulties. What I haven't seen, is any resolution to the problem. Personally, The keyboard size is OK. The unreliable key press issues are driving me nuts. The worst key on my Pre+ is the "e" key and some others, mostly on the top row of keys. I first press, nothing, press again, maybe nothing or multiple entries of "e", The "y" is second worst. Same issues. Is ANYBODY doing anything to resolve this problem?
    Post relates to: Pre Plus p101vzw (Verizon)
    This question was solved.
    View Solution.

    The last software update 1.4.11 addressed this issue on the Verizon Palm Pre Plus. If you are on earlier software version you need to update your device to the latest SW version. If you are on the latest SW version you may have a hardware problem with the device. You should go to Device Info from your launcher, tap the drop-down menu, choose Tests, then Interactive Tests, then test your keypad for problems. If this test fails then you should get a replacement device from Verizon.

  • DAC 11g :Encryption key mismatch

    Hi,
    We have installed DAC 11g in Linux server and DAC client in windows machine, while configuring DAC client in windows it throws a error like encryption key mismatch. we cleared the key in DAC repository by command utilities. Again  it throws a error like encryption key mismatch.
    And we are able to login by standalone mode and not in web mode, if we try to start server in Linux it throws a error like client should be in web mode. but we are unable to login in client  by web mode.
    Thanks in advance,
    Regards,
    Saurabh

    Hi Veeresh,
    1)How to connect DAC 11g server with fusion middleware(weblogic server)?
    2)Can we install OBIA 7.9.6.4 with DAC10g?

Maybe you are looking for