issue with one of our ASAs authenticating

Unanswered Question
Aug 28th, 2007
User Badges:

one of our ASAs is having problems authenticating against our tacacs server. We can run the test authentication feature fine and the ASA can ping the server. However when I try to authenticate I see this in the log:


4 Aug 28 2007 09:30:31 409023 Attempting AAA Fallback method LOCAL for Authentication request for user [someuser] : Auth-server group [acsserver] unreachable


On the ACS server I don't see any failed attmpets on the logs. All of our other devices work fine including a few other ASAs. Th eonly difference with this guy is that its running 8.0 software. I double checked the shared key and its okay (well it should be fine since I can run the test fine). Any ideas?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Tue, 08/28/2007 - 07:41
User Badges:
  • Red, 2250 points or more

Jack,

Do you see any hits on acs passed attempts ? Try increasing tacacs timeout and see if that makes any difference.



Regards,

~JG

jackleung Tue, 08/28/2007 - 08:29
User Badges:

I took a look at those logs. I see the hits when I run the test authentication from the ASA (I'm logged in locally as fallback at the moment) but when I try to login as normal with my AD creds I dont see any hits.

pemasirid Wed, 03/12/2008 - 06:40
User Badges:

Hi Jack,


Hoped you solved the issue with AAA authorization in your ASA. I have simmilar issue with my ASA.


I configured AAA authorization in firewall but it works only for local username/password. PIX version 7.2(2) and ACS-SE 4.1.

Here is my configurations


XXX-PIX515(config)# sh run aaa-server


aaa-server VPN protocol radius


accounting-mode simultaneous


aaa-server VPN host 172.20.20.11


key XXX


aaa-server VPN host 172.20.20.12


key XXX


aaa-server my-group protocol tacacs+


aaa-server my-group host 172.20.20.11


key XXXX


aaa authentication telnet console my-group LOCAL


aaa authentication enable console my-group LOCAL


aaa authorization command my-group LOCAL


aaa accounting command privilege 15 my-group


Note: Also I have RADIUS as same ACS for my VPN access and I add it as RADIUS client with different key. Moreover I could not see any failed logs on ACS. It works fine with local authorization.


Can you tell me why I cant authenticate and authorize with TACACS+ server.


Thanks in advance



Actions

This Discussion