AAA authentication and/or authorization issues

t.gorsline · ‎11-21-2013

We are getting an authentication or authorization error when we try to login into the ASA 5505. We are running the following setup:

ACS 5.4

ASA 5505 9.1(3)

Configs:

aaa-server TACACS protocol tacacs+

reactivation-mode timed

max-failed-attempts 2

aaa-server TACACS (inside) host 10.224.4.76

key *****

aaa-server TACACS (inside) host 10.131.2.155

key *****

user-identity default-domain LOCAL

aaa authentication ssh console TACACS LOCAL

aaa authentication enable console TACACS LOCAL

aaa authentication http console TACACS LOCAL

aaa authorization command TACACS LOCAL

aaa accounting enable console TACACS

debugs:

debug aaa authentication

debug tacacs session

mk_pkt - type: 0x1, session_id: 259

user: mine

Tacacs packet sent

Sending TACACS Start message. Session id: 259, seq no:1

Received TACACS packet. Session id:76877407 seq no:2

tacp_procpkt_authen: GETPASS

mk_pkt - type: 0x1, session_id: 259

mkpkt_continue - response: ***

Tacacs packet sent

Sending TACACS Continue message. Session id: 259, seq no:3

Nov 21 2013 15:19:26: %ASA-6-113004: AAA user authentication Successful : server = 10.224.4.76 : user = mine

Nov 21 2013 15:19:26: %ASA-6-113005: AAA user authorization Rejected : reason = User was not found : server = 0.0.0.0 : user = mine

Received TACACS packet. Session id:76877407 seq no:4

tacp_procpkt_authen: PASS

TACACS Session finished. Session id: 259, seq no: 3

I have verified the configuration in ACS. This is not the first 5505 we have up and working. This is the only one that is having this issue. If I add a local user with the same name and a different password, I can login with my ACS account and ACS password without issue. It looks like it is missing a packet or my timers are off......every once in awhile, I get the following error in ACS:

13031 TACACS+ authentication request missing user Password

I can ping the ACS servers without issue. I can run the test aaa-server command it is passes without issue..

wnj-ukfw1(config)# test aaa-server authentication TACACS host 10.224.4.76 user mine password yours

INFO: Attempting Authentication test to IP address <10.224.4.76> (timeout: 12 seconds)

INFO: Authentication Successful

I can't run the test aaa-server for authorization because we are using tacacs+.

Open to thoughts and suggestions.

Tim

Venkatesh Attuluri · ‎11-24-2013

https://supportforums.cisco.com/thread/2217354

t.gorsline · ‎11-25-2013

I had already read that thread and it isn't even close. I have almost 50 ASA nodes in ACS deployed with the same configuration and IOS version. This is the only one with this issue. Within ACS, they are in the same group and have all the same attributes. The user account isn't the issue either since I can get into all the other devices without issue. I also have over 700 network switches and routers in ACS and they are all working as desired.

I am looking at changing the version of code on the ASA and starting over with the config....unless someone else has any other ideas.

t.gorsline · ‎11-26-2013

We rebooted the ASA and it worked as desired. Can't believe that is all it took. It must be something to do with the order of operation within the code base!!