03-08-2010 10:34 PM - edited 03-11-2019 10:18 AM
Hi All,
I want to use SSH and HTTP to get authentication through ACS server.
i am facing issue with only http authentication through ACS(Tacacs+).
when try to connect ASDM using tacacs+ authentication, the A/C gets locked in radius server.
At the same time SSh works fine
ACS is mapped with RADIUS.
I have attached the HTTP and SSh related config
======================
aaa-server Two-Factor protocol tacacs+
aaa-server Two-Factor (Layer-3) host Cisco-ACS key abcd
aaa authentication enable console LOCAL
aaa authentication http console Two-Factor
aaa authentication ssh console Two-Factor
ssh Vikram_Shetty 255.255.255.255 Layer-3
http Vikram_Shetty 255.255.255.255 Layer-3
========================================
Also attached the some troubleshooting output which i done, not sure if the method is correct.
I tried checking packet tracer and found the user PC with port http to acs ip on port http is getting droped due to ACL.
packet-tracer input layer-3 tcp 10.26.14.50 http 10.26.11.134 ht$
Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow
Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in Layer-3_All 255.255.248.0 Layer-3
Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in Layer-3_All 255.255.248.0 Layer-3
Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x54d99b8, priority=111, domain=permit, deny=true
hits=6077, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
src ip=0.0.0.0, mask=0.0.0.0, port=0
dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0
Result:
input-interface: Layer-3
input-status: up
input-line-status: up
output-interface: Layer-3
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
===========================================
to open ASDM https is being used.
Please let me know if i am not clear..need help to trace the root cause.
Regards
Amar
03-09-2010 12:18 PM
Hi,
The result is clear according to Packet Tracer...
The connection is being denied by the ACL.
Troubleshooting step:
Check the ACL applied to the interface where you're coming from, and make sure that such traffic is being permitted.
Question: Is this traffic intended to the ASA itself or through the ASA?
Federico.
03-09-2010 12:45 PM
Does asdm access work without the ACS with just local credentials?
aaa authen http console LOCAL
username blah password blah priv 15
Give it a shot and let us know.
Also, post the output of "sh run http"
-KS
03-09-2010 08:08 PM
Hi,
yes the http(asdm) work fine with local credential.
I have attached http configuration in first log.
Regards
Amar
03-09-2010 08:31 PM
Hi,
Question: Is this traffic intended to the ASA itself or through the ASA ?
Ans: Http allowed subnet are in one zone and the ACS/Radius in other zone.
Is what you are asking, I am not very clear with above query.. Pls elaborate..
regards
Amar
03-10-2010 08:27 AM
I was asking if the http connection is directed to the ASA itself or thorugh the ASA (but seems that is to the ASA since you're attempting to access asdm.
Still seems that the outside ACL is blocking the traffic. Have you verified this?
On previous versions of ASA software, the ACL on an interface applied only to traffic passing through the ASA (not traffic directed to it), but now you can apply the ACL to both scenarios.
Also the output of the ''sh run http'' will let us know if you have any other restrictions.
Federico.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide