ASA 7.1, TACACS+, & HTTP Authentication

jason.ingram · ‎03-03-2006

A very intresting problem. I have a TACACS ver 3.2 system in place. I currently am able to authenticate agains it with no problem using SSH & Telnet. However, as soon as I try to use http, the authentication is never succesful (I get prompted for a username and password, but nothing I enter actually works) and the folling gets logged on the TACACS server:

"External DB auth failed"

However..it works agains SSH and Telnet. Does anyone have any ideas about this? perhaps http auth needs special configuraiton?

http server enable

aaa-server tac protocol tacacs+

aaa-server tac host 10.1.1.1

key ******

aaa authentication http console tac

aaa authentication telnet console tac

aaa authentication ssh console tac

aaa authentication secure-http-client

http server enable

http 172.19.0.0 255.255.0.0 inside

http 10.34.64.0 255.255.240.0 management

http 10.72.0.0 255.255.255.0 management

http 10.72.3.103 255.255.255.255 management

http redirect management 80

wdrootz · ‎03-09-2006

This is an ACE problem with the passcode. During this time, the ACS Failed Attempts log shows either the message "External DB auth failed" or "External DB user invalid or bad password

cyorty · ‎04-12-2006

Just curious if you figured this one out - I just opened a TAC case for something similar. I'm authenticating to an RSA ACE Server via an CiscoSecure ACS 4.0 box. SSH and telnet have no problems, but HTTP auths bomb at the ACE server.