TACACS+ configuration for Cisco ASA

Unanswered Question
Jan 21st, 2009

I tired configuring TACACS+ configuration for ASA but unable to complete it. I have ACS 3.3 for all other Cisco Routers and Switches

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Tshi M Thu, 01/22/2009 - 05:10

Please see below:

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ host x.x.x.x

key test

aaa authentication ssh console TACACS+

aaa authentication enable console TACACS+

aaa authentication http console TACACS+

dphills18 Wed, 01/28/2009 - 10:57

Is there some type of access list that needs to be inserted or something. I can't get this to work. It should be that difficult. I keep getting "Password authentication failed."

Richard Burts Wed, 01/28/2009 - 14:22


There is not an access list that is required to authenticate from the ASA. Perhaps we could find your problem if you would post your configuration.



dphills18 Wed, 01/28/2009 - 17:51

Hey Rick, thanks. I finally figured out what was going on. We use RSA tokens for authentication. It would allow me to log into the ASA, however, when I would try to log into the enable mode, I would have complications.

What I learned as that I needed to wait for the key on the RSA token to change to the next code and use that. The ASA will not let me use the same code to log into enable mode.

Does anyone know if this feature can be bypassed to where I can use the same token key code for both prompts?


Richard Burts Wed, 01/28/2009 - 19:13


I am glad that you have figured out what the issue is. I believe that it is a fundamental concept of RSA tokens that you can only use a token once. Any attempt to authenticate a second time with the same token will be rejected.

So authenticate once (with the first token) and then wait till the new token is generated before you attempt to authenticate to enable mode.



Daniel Laden Sun, 02/01/2009 - 13:05

Unlike a router or switch, you cannot go straight to enable mode on an ASA.  You will need to authenticate twice.

leo_zidane Tue, 03/24/2009 - 02:35

Hi all,

I am unable to login into ASA ADSM through RSA tokens but SSH can. What setting do i miss out?


Richard Burts Tue, 03/24/2009 - 04:56


If you post the configuration of the ASA we might be able to see what the issue is. But so far we do not have nearly enough information to analyze the problem.



leo_zidane Tue, 03/24/2009 - 08:59

So the problem lies in ASA but not ACS authentication or authorization issue?

Because it is not convenient for me to post the config can u tell me what is the typical configuration for ASA to communicate with ACS via RSA tokens?

I search at Cisco website but they never say how to do it. Plus currently my wireless controllers and ASA GUI are unable to use RSA tokens to authenticate.

Really need some help from all expert out there.

Thank you very much

Richard Burts Tue, 03/24/2009 - 13:08


We do not yet know for sure where the problem is. But based on your description of the symptoms I believe that it is more likely a problem in configuration of the ASA then in the ACS or the RSA tokens. If we get additional information and believe that it is not an ASA configuration issue then we can look at the ACS and the RSA tokens for possible issues.

There are several options in how to configure the ASA and it would be better if we could see how you have configured the ASA rather than attempt to guess which configuration options would fit your circumstance.



leo_zidane Tue, 03/24/2009 - 18:45

ok my ASA and wireless controllers authenticate using TACACS+ through ACS. Currently my local database in ACS works but when i start using RSA the GUI failed to lunch and got hang. It seemed that it authenticate successful at RSA but when returned the credential to ASA it failed.

Why is this so? Has anyone tried using RSA tokens and able to authenticate w ASA and wireless controllers GUI.

Jatin Katyal Sun, 07/14/2013 - 06:39


I was looking around and come across this post. It's very late, however, wanted to add my inputs for other community members.

RSA Token/One-Time-Password support available with ASDM only in SINGLE ROUTED MODE. If you are in Single Routed Mode, you can do OTP with ASDM if you are running ASA 8.2+  with ASDM 6.2+.

If the firewall is running in multi-context and transparent mode. It won't work. Below is the enhancement request that was filed for the same feature to be supported.

CSCtf23419    ASDM OTP authentication support in multi-context and transparent modes

With WLC is yet not possible and there is a enhancement request filed.

CSCuf61598    WLC: Need ability to support multiple sessions via OTP authentication

Jatin Katyal

**Do rate helpful posts**


This Discussion