Tshi M Thu, 01/22/2009 - 05:10
User Badges:
  • Silver, 250 points or more

Please see below:


aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ host x.x.x.x

key test


aaa authentication ssh console TACACS+

aaa authentication enable console TACACS+

aaa authentication http console TACACS+

dphills18 Wed, 01/28/2009 - 10:57
User Badges:

Is there some type of access list that needs to be inserted or something. I can't get this to work. It should be that difficult. I keep getting "Password authentication failed."

Richard Burts Wed, 01/28/2009 - 14:22
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Dwayne


There is not an access list that is required to authenticate from the ASA. Perhaps we could find your problem if you would post your configuration.


HTH


Rick

dphills18 Wed, 01/28/2009 - 17:51
User Badges:

Hey Rick, thanks. I finally figured out what was going on. We use RSA tokens for authentication. It would allow me to log into the ASA, however, when I would try to log into the enable mode, I would have complications.


What I learned as that I needed to wait for the key on the RSA token to change to the next code and use that. The ASA will not let me use the same code to log into enable mode.


Does anyone know if this feature can be bypassed to where I can use the same token key code for both prompts?


Dwayne

Richard Burts Wed, 01/28/2009 - 19:13
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Dwayne


I am glad that you have figured out what the issue is. I believe that it is a fundamental concept of RSA tokens that you can only use a token once. Any attempt to authenticate a second time with the same token will be rejected.


So authenticate once (with the first token) and then wait till the new token is generated before you attempt to authenticate to enable mode.


HTH


Rick


Daniel Laden Sun, 02/01/2009 - 13:05
User Badges:
  • Cisco Employee,


Unlike a router or switch, you cannot go straight to enable mode on an ASA.  You will need to authenticate twice.

oscarpirez Wed, 03/18/2009 - 07:45
User Badges:

Hello Jagdeep,


thank you very much for the info.


Regards,


Oscar

oscarpirez Wed, 03/18/2009 - 07:59
User Badges:

Sorry,


is this valid for ASA 8.0 as well?


regards,


Oscar

leo_zidane Tue, 03/24/2009 - 02:35
User Badges:

Hi all,


I am unable to login into ASA ADSM through RSA tokens but SSH can. What setting do i miss out?


Thanks

Richard Burts Tue, 03/24/2009 - 04:56
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Leonard


If you post the configuration of the ASA we might be able to see what the issue is. But so far we do not have nearly enough information to analyze the problem.


HTH


Rick

leo_zidane Tue, 03/24/2009 - 08:59
User Badges:

So the problem lies in ASA but not ACS authentication or authorization issue?


Because it is not convenient for me to post the config can u tell me what is the typical configuration for ASA to communicate with ACS via RSA tokens?


I search at Cisco website but they never say how to do it. Plus currently my wireless controllers and ASA GUI are unable to use RSA tokens to authenticate.


Really need some help from all expert out there.


Thank you very much


Richard Burts Tue, 03/24/2009 - 13:08
User Badges:
  • Super Silver, 17500 points or more
  • Hall of Fame,

    Founding Member

  • Cisco Designated VIP,

    2017 LAN, WAN

Leonard


We do not yet know for sure where the problem is. But based on your description of the symptoms I believe that it is more likely a problem in configuration of the ASA then in the ACS or the RSA tokens. If we get additional information and believe that it is not an ASA configuration issue then we can look at the ACS and the RSA tokens for possible issues.


There are several options in how to configure the ASA and it would be better if we could see how you have configured the ASA rather than attempt to guess which configuration options would fit your circumstance.


HTH


Rick

leo_zidane Tue, 03/24/2009 - 18:45
User Badges:

ok my ASA and wireless controllers authenticate using TACACS+ through ACS. Currently my local database in ACS works but when i start using RSA the GUI failed to lunch and got hang. It seemed that it authenticate successful at RSA but when returned the credential to ASA it failed.


Why is this so? Has anyone tried using RSA tokens and able to authenticate w ASA and wireless controllers GUI.

Jatin Katyal Sun, 07/14/2013 - 06:39
User Badges:
  • Cisco Employee,

Leo,


I was looking around and come across this post. It's very late, however, wanted to add my inputs for other community members.


RSA Token/One-Time-Password support available with ASDM only in SINGLE ROUTED MODE. If you are in Single Routed Mode, you can do OTP with ASDM if you are running ASA 8.2+  with ASDM 6.2+.


If the firewall is running in multi-context and transparent mode. It won't work. Below is the enhancement request that was filed for the same feature to be supported.


CSCtf23419    ASDM OTP authentication support in multi-context and transparent modes


With WLC is yet not possible and there is a enhancement request filed.


CSCuf61598    WLC: Need ability to support multiple sessions via OTP authentication



~BR
Jatin Katyal

**Do rate helpful posts**

Actions

This Discussion