Switches and Routers can authenticate through ASA5520

Unanswered Question
May 10th, 2008

routers & Switches (outside zone) can't authenticate using ACS (inside zone)

even if i permit any any

i can telnet to ACS port 49 , i can also ping to ACS

but there is no failed or passed attempt is coming from devices in outside Zone

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rkalia1 Sat, 05/10/2008 - 06:26

Have you added the devices in the in the ACS. Also, have you conigured AAA on the routers and switches on the outside. A config of these will help answer better.

Richard Burts Sat, 05/10/2008 - 09:10

Raman

If I understand the post from Mohammed correctly there are no failed attempts reported. If the issue were that they were not configured in ACS then there would be entries in the failed attempt log - indicating attempts from an unknown host.

Asking to see some configs from devices that do not work is a very reasonable thing. It would allow us to see if there were issues that might prevent authentication. And it would allow us to see if the source interface is specified. Mohammed says that he can telnet to the server on port 49 which demonstrates that there is IP connectivity using the default choice of interface. I would like to see if that is the same interface that AAA is using.

If there are no failed attempts reported then that implies that either the firewall is denying the requests (which Mohammed implies is not the case) or they are not being sent from the router, or they are being misdirected. If seeing the configs does not point toward a solution perhaps the output of debug tacacs authentication would be helpful.

HTH

Rick

majaj Sat, 05/10/2008 - 21:35

actually , there is no failed or passed attempt at ACS server

the router is choosing to authenticate locally , like if it is can't see the ACS.

but why it can't see the ACS?

Richard Burts Sun, 05/11/2008 - 14:13

As I suggested in my previous post:

If there are no failed attempts reported then that implies that either the firewall is denying the requests (which Mohammed implies is not the case) or they are not being sent from the router, or they are being misdirected. If seeing the configs does not point toward a solution perhaps the output of debug tacacs authentication would be helpful.

Please post configs or post debug output.

HTH

Rick

Actions

This Discussion