Switches and Routers can authenticate through ASA5520

Unanswered Question
May 10th, 2008
User Badges:

routers & Switches (outside zone) can't authenticate using ACS (inside zone)

even if i permit any any

i can telnet to ACS port 49 , i can also ping to ACS

but there is no failed or passed attempt is coming from devices in outside Zone

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rkalia1 Sat, 05/10/2008 - 06:26
User Badges:

Have you added the devices in the in the ACS. Also, have you conigured AAA on the routers and switches on the outside. A config of these will help answer better.

Richard Burts Sat, 05/10/2008 - 09:10
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Raman


If I understand the post from Mohammed correctly there are no failed attempts reported. If the issue were that they were not configured in ACS then there would be entries in the failed attempt log - indicating attempts from an unknown host.


Asking to see some configs from devices that do not work is a very reasonable thing. It would allow us to see if there were issues that might prevent authentication. And it would allow us to see if the source interface is specified. Mohammed says that he can telnet to the server on port 49 which demonstrates that there is IP connectivity using the default choice of interface. I would like to see if that is the same interface that AAA is using.


If there are no failed attempts reported then that implies that either the firewall is denying the requests (which Mohammed implies is not the case) or they are not being sent from the router, or they are being misdirected. If seeing the configs does not point toward a solution perhaps the output of debug tacacs authentication would be helpful.


HTH


Rick

majaj Sat, 05/10/2008 - 21:35
User Badges:

actually , there is no failed or passed attempt at ACS server

the router is choosing to authenticate locally , like if it is can't see the ACS.

but why it can't see the ACS?


Richard Burts Sun, 05/11/2008 - 14:13
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

As I suggested in my previous post:

If there are no failed attempts reported then that implies that either the firewall is denying the requests (which Mohammed implies is not the case) or they are not being sent from the router, or they are being misdirected. If seeing the configs does not point toward a solution perhaps the output of debug tacacs authentication would be helpful.


Please post configs or post debug output.


HTH


Rick

Actions

This Discussion