Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1736
Views
0
Helpful
4
Replies

issue with one of our ASAs authenticating

jackleung
Level 1
Level 1

‎08-28-2007 07:25 AM - edited ‎03-10-2019 03:21 PM

one of our ASAs is having problems authenticating against our tacacs server. We can run the test authentication feature fine and the ASA can ping the server. However when I try to authenticate I see this in the log:

4 Aug 28 2007 09:30:31 409023 Attempting AAA Fallback method LOCAL for Authentication request for user [someuser] : Auth-server group [acsserver] unreachable

On the ACS server I don't see any failed attmpets on the logs. All of our other devices work fine including a few other ASAs. Th eonly difference with this guy is that its running 8.0 software. I double checked the shared key and its okay (well it should be fine since I can run the test fine). Any ideas?

Labels:
0 Helpful
4 Replies 4

Jagdeep Gambhir
Level 10
Level 10

‎08-28-2007 07:41 AM

Jack,

Do you see any hits on acs passed attempts ? Try increasing tacacs timeout and see if that makes any difference.

Regards,

~JG

0 Helpful

jackleung
Level 1
Level 1
In response to Jagdeep Gambhir

‎08-28-2007 08:29 AM

I took a look at those logs. I see the hits when I run the test authentication from the ASA (I'm logged in locally as fallback at the moment) but when I try to login as normal with my AD creds I dont see any hits.

0 Helpful

kcaskey
Level 1
Level 1

‎03-11-2008 08:38 AM

Could this be related to Cisco bug ID CSCsk08454?

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk08454

There is supposedly a fix but I'm not having much luck implementing it myself...

0 Helpful

pemasirid
Level 1
Level 1

‎03-12-2008 06:40 AM

Hi Jack,

Hoped you solved the issue with AAA authorization in your ASA. I have simmilar issue with my ASA.

I configured AAA authorization in firewall but it works only for local username/password. PIX version 7.2(2) and ACS-SE 4.1.

Here is my configurations

XXX-PIX515(config)# sh run aaa-server

aaa-server VPN protocol radius

accounting-mode simultaneous

aaa-server VPN host 172.20.20.11

key XXX

aaa-server VPN host 172.20.20.12

key XXX

aaa-server my-group protocol tacacs+

aaa-server my-group host 172.20.20.11

key XXXX

aaa authentication telnet console my-group LOCAL

aaa authentication enable console my-group LOCAL

aaa authorization command my-group LOCAL

aaa accounting command privilege 15 my-group

Note: Also I have RADIUS as same ACS for my VPN access and I add it as RADIUS client with different key. Moreover I could not see any failed logs on ACS. It works fine with local authorization.

Can you tell me why I cant authenticate and authorize with TACACS+ server.

Thanks in advance

0 Helpful
Customers Also Viewed These Support Documents