TACACS Authentication not working with ASA

Unanswered Question
Jul 16th, 2008
User Badges:

I have an ACS 4.1 Windows server running TACACS. It si working on all devices within the enterprise except for one new ASA at a remote site. There is no NAT going on or anything and the ASA can ping the ACS box and the ACS box can ping the ASA.

I added the configuration below but the authentication fails and no requests come to the ACS server

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ host 10.x.x.x

key password

aaa authentication ssh console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authentication http console TACACS+ LOCAL

Any help would be greatly appreciated

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
dhananjoy chowdhury Wed, 07/16/2008 - 10:31
User Badges:
  • Silver, 250 points or more


Is there any FW device in between which may be blocking the TACACS ports ?

Also run this test on the ASA box :-

myASA# test aaa-server authentication TACACS+ host 10.x.x.x

dennismatz Thu, 07/17/2008 - 07:58
User Badges:

There are no firewalls in between the devices, I ran the test command and recieved the following:

ERROR: Authentication Server not responding: No error

dhananjoy chowdhury Thu, 07/17/2008 - 09:50
User Badges:
  • Silver, 250 points or more

Just to confirm - did you add the ASA box as AAA client on the ACS server and are you using the same KEY here in the ASA config?

Jagdeep Gambhir Fri, 07/18/2008 - 07:22
User Badges:
  • Red, 2250 points or more

Please check shared secret key. Remember NDG key overwrites aaa client key.

Make sure acs should have correct ip address of asa in network configuration.

Do you see any hits on acs failed or passed attempts ? Also try increasing the tacacs timeout to 15 sec.

srue Fri, 07/18/2008 - 20:31
User Badges:
  • Blue, 1500 points or more

make sure the address you've added to ACS is the one the ASA is communicating from - in this case, it should be the interface closest to the ACS device.

dennismatz Mon, 07/21/2008 - 05:40
User Badges:

The ASA which is experiencing issues connects to the subnet the ACS box is on over a IPSec tunnel. There are numerous other ASA configured just like this and they are configured with the inside IP address on the ACS server.


This Discussion