ACS, AAA config for ASA 5540 7.2 code not working

Unanswered Question
Apr 9th, 2009
User Badges:

Hi,


I cannot login using my ACS credentials on this firewall. I have a 1113 appliance running 4.2, and I am trying to setup a 5540 for AAA. Here is my config on the FW:


ssh 10.12.1.96 255.255.255.255 inside

ssh 10.10.7.179 255.255.255.255 inside


username asaadmin password acs priv 15


aaa-server ACS protocol tacacs+

aaa-server ACS host 10.12.1.30

key acskey

aaa authentication ssh console ACS LOCAL

aaa authentication serial console ACS LOCAL

aaa authentication enable console ACS LOCAL

aaa authorization command ACS LOCAL

aaa accounting ssh console ACS


I do not see this ASA in failed attempts on the ACS box. I have never been able to ping the ACS server from anywhere, but I have switches and routers authenticating.


The ACS box is 10.12.1.30

FW is 10.12.1.37 on the Managment 0/0 interface.


I have a default route to 10.12.1.1 on the FW for mgt and inside.


Thank you for your assistance.


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
chuckholley Fri, 04/10/2009 - 04:29
User Badges:

I ran this test, it appears that the ASA and ACS appliance are not talking.


LMTVPN01(config)# test aaa-server authentication ACS host 10.12.1.30 username$

INFO: Attempting Authentication test to IP address <10.12.1.30> (timeout: 12 seconds)

ERROR: Authentication Server not responding: No error


Any Help would be appreciated!!!

chuckholley Fri, 04/10/2009 - 04:42
User Badges:

LMTVPN01(config)test aaa-server authentication ACS host 10.12.1.30 username $

INFO: Attempting Authentication test to IP address <10.12.1.30> (timeout: 12 seconds)

INFO: Authentication Successful


OK, i figured out that I need to get it off the managment port due to the nature of that port and my little understanding of it :)


Howere, I still cannot SSH to the FW, I get a access denied and there are no failed attempts logged on the ACS appliance.

chuckholley Fri, 04/10/2009 - 04:48
User Badges:

FIgured it out, I had to enable PIX shell on the ACS appliance and a pix/asa authorization set!!


Thanks Chuck!

dpatkins Fri, 04/10/2009 - 04:53
User Badges:

Can you explain this a little more? You enable the pix shell on ACS and a pix authorization set?


Not sure exactly what this mean?


Dwane

Actions

This Discussion