ACS, AAA config for ASA 5540 7.2 code not working

Unanswered Question
Apr 9th, 2009
User Badges:


I cannot login using my ACS credentials on this firewall. I have a 1113 appliance running 4.2, and I am trying to setup a 5540 for AAA. Here is my config on the FW:

ssh inside

ssh inside

username asaadmin password acs priv 15

aaa-server ACS protocol tacacs+

aaa-server ACS host

key acskey

aaa authentication ssh console ACS LOCAL

aaa authentication serial console ACS LOCAL

aaa authentication enable console ACS LOCAL

aaa authorization command ACS LOCAL

aaa accounting ssh console ACS

I do not see this ASA in failed attempts on the ACS box. I have never been able to ping the ACS server from anywhere, but I have switches and routers authenticating.

The ACS box is

FW is on the Managment 0/0 interface.

I have a default route to on the FW for mgt and inside.

Thank you for your assistance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
chuckholley Fri, 04/10/2009 - 04:29
User Badges:

I ran this test, it appears that the ASA and ACS appliance are not talking.

LMTVPN01(config)# test aaa-server authentication ACS host username$

INFO: Attempting Authentication test to IP address <> (timeout: 12 seconds)

ERROR: Authentication Server not responding: No error

Any Help would be appreciated!!!

chuckholley Fri, 04/10/2009 - 04:42
User Badges:

LMTVPN01(config)test aaa-server authentication ACS host username $

INFO: Attempting Authentication test to IP address <> (timeout: 12 seconds)

INFO: Authentication Successful

OK, i figured out that I need to get it off the managment port due to the nature of that port and my little understanding of it :)

Howere, I still cannot SSH to the FW, I get a access denied and there are no failed attempts logged on the ACS appliance.

chuckholley Fri, 04/10/2009 - 04:48
User Badges:

FIgured it out, I had to enable PIX shell on the ACS appliance and a pix/asa authorization set!!

Thanks Chuck!

dpatkins Fri, 04/10/2009 - 04:53
User Badges:

Can you explain this a little more? You enable the pix shell on ACS and a pix authorization set?

Not sure exactly what this mean?



This Discussion