Had really annoying problem yesterday. Was busy setting up Role-Based TACACS access on Cisco ACS and happily configuring the NDG (Network Device groups), the Command Authorization Sets etc.
Started testing and kept on getting “% Authentication failed” on the CLI.
At first you realize you must have made a typo or forgot to do something. Double check the config, the ACS setup and confirm the passwords are correct with no Null Spaces. But still no luck.
Maybe a fresh pair of eyes? So I went to colleague to double-check my config, and while he was checking I noticed the following difference:
In his browser, Internet Explorer, the password under ‘Network Device groups’ settings, showed the TACACS-Key? (a bit insecure, but wth?)
I use Firefox almost exclusively. So I went back to my laptop and fired up the hateful IE8 browser. Re-entered the password, hit the ‘SUBMIT’.
Tested and all was working as originally expected. It seems the ACS software was specifically written for IE6, back in the day, before starred password fields ****** came about, or they just don’t make use fo it. Firefox removed the ‘displayed’ password/key to hash it out, but without the necessary HTML code Firefox has nowhere to keep the hash. The result, editing the NDG settings in firefox removes the password/key. Fair enough, this ACS was V4.2, maybe this was fixed with V5. (not sure)
There is nothing I hate more that than the dysfunctional wannabe browser Internet Explorer. And thanks to lack of insight from the ACS developers, I will have to use Internet Explorer once in a while.