11-21-2013 07:26 AM - edited 03-10-2019 09:07 PM
We are getting an authentication or authorization error when we try to login into the ASA 5505. We are running the following setup:
ACS 5.4
ASA 5505 9.1(3)
Configs:
aaa-server TACACS protocol tacacs+
reactivation-mode timed
max-failed-attempts 2
aaa-server TACACS (inside) host 10.224.4.76
key *****
aaa-server TACACS (inside) host 10.131.2.155
key *****
user-identity default-domain LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authentication http console TACACS LOCAL
aaa authorization command TACACS LOCAL
aaa accounting enable console TACACS
debugs:
debug aaa authentication
debug tacacs session
mk_pkt - type: 0x1, session_id: 259
user: mine
Tacacs packet sent
Sending TACACS Start message. Session id: 259, seq no:1
Received TACACS packet. Session id:76877407 seq no:2
tacp_procpkt_authen: GETPASS
mk_pkt - type: 0x1, session_id: 259
mkpkt_continue - response: ***
Tacacs packet sent
Sending TACACS Continue message. Session id: 259, seq no:3
Nov 21 2013 15:19:26: %ASA-6-113004: AAA user authentication Successful : server = 10.224.4.76 : user = mine
Nov 21 2013 15:19:26: %ASA-6-113005: AAA user authorization Rejected : reason = User was not found : server = 0.0.0.0 : user = mine
Received TACACS packet. Session id:76877407 seq no:4
tacp_procpkt_authen: PASS
TACACS Session finished. Session id: 259, seq no: 3
I have verified the configuration in ACS. This is not the first 5505 we have up and working. This is the only one that is having this issue. If I add a local user with the same name and a different password, I can login with my ACS account and ACS password without issue. It looks like it is missing a packet or my timers are off......every once in awhile, I get the following error in ACS:
13031 TACACS+ authentication request missing user Password
I can ping the ACS servers without issue. I can run the test aaa-server command it is passes without issue..
wnj-ukfw1(config)# test aaa-server authentication TACACS host 10.224.4.76 user mine password yours
INFO: Attempting Authentication test to IP address <10.224.4.76> (timeout: 12 seconds)
INFO: Authentication Successful
I can't run the test aaa-server for authorization because we are using tacacs+.
Open to thoughts and suggestions.
Tim
11-24-2013 03:18 AM
11-25-2013 05:27 AM
I had already read that thread and it isn't even close. I have almost 50 ASA nodes in ACS deployed with the same configuration and IOS version. This is the only one with this issue. Within ACS, they are in the same group and have all the same attributes. The user account isn't the issue either since I can get into all the other devices without issue. I also have over 700 network switches and routers in ACS and they are all working as desired.
I am looking at changing the version of code on the ASA and starting over with the config....unless someone else has any other ideas.
11-26-2013 11:53 AM
We rebooted the ASA and it worked as desired. Can't believe that is all it took. It must be something to do with the order of operation within the code base!!
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: