I was recently working on deploying a new device into our network infrastructure. I was working off a configuration template that had a standard arguments for AAA leveraging TACACS+. I was offsite and had asked a fellow colleague to enter the new device into our ACS deployment to allow authentication and command authorization. The long and short of it is, it was copied off of a different group of devices than what my configuration template was based of. The issue was a mismatch in TACACS server keys. The problem was I was currently offline as I was connecting to the device what would let me out to the network. So what is the stupid router trick? The stupid router trick consists of using the key chains to decrypt a type 7 TACACS (or other key) that is hidden via service password-encryption in your configuration template. The trick is pretty simple. Create a temporary key chain that won’t be applied anywhere, enter the key(s) into the key chain in their type 7 format, and then do a simple show key chains. Really! That’s all there is to it. See the output below.
R1(config)#key chain tempkeys R1(config-keychain)#key 1 R1(config-keychain-key)#key-string 7 06150A225E4B1D12000E R1(config-keychain-key)#exit R1(config-keychain)#key 2 R1(config-keychain-key)#key-st R1(config-keychain-key)#key-string 7 095F4B0A0B0003190E15 R1(config-keychain-key)#end R1# R1#show key chain Key-chain tempkeys: key 1 -- text "secretkey" accept lifetime (always valid) - (always valid) [valid now] send lifetime (always valid) - (always valid) [valid now] key 2 -- text "secretkey" accept lifetime (always valid) - (always valid) [valid now] send lifetime (always valid) - (always valid) [valid now]