Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

issue with one of our ASAs authenticating

one of our ASAs is having problems authenticating against our tacacs server. We can run the test authentication feature fine and the ASA can ping the server. However when I try to authenticate I see this in the log:

4 Aug 28 2007 09:30:31 409023 Attempting AAA Fallback method LOCAL for Authentication request for user [someuser] : Auth-server group [acsserver] unreachable

On the ACS server I don't see any failed attmpets on the logs. All of our other devices work fine including a few other ASAs. Th eonly difference with this guy is that its running 8.0 software. I double checked the shared key and its okay (well it should be fine since I can run the test fine). Any ideas?

4 REPLIES

Re: issue with one of our ASAs authenticating

Jack,

Do you see any hits on acs passed attempts ? Try increasing tacacs timeout and see if that makes any difference.

Regards,

~JG

New Member

Re: issue with one of our ASAs authenticating

I took a look at those logs. I see the hits when I run the test authentication from the ASA (I'm logged in locally as fallback at the moment) but when I try to login as normal with my AD creds I dont see any hits.

New Member

Re: issue with one of our ASAs authenticating

Could this be related to Cisco bug ID CSCsk08454?

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk08454

There is supposedly a fix but I'm not having much luck implementing it myself...

New Member

Re: issue with one of our ASAs authenticating

Hi Jack,

Hoped you solved the issue with AAA authorization in your ASA. I have simmilar issue with my ASA.

I configured AAA authorization in firewall but it works only for local username/password. PIX version 7.2(2) and ACS-SE 4.1.

Here is my configurations

XXX-PIX515(config)# sh run aaa-server

aaa-server VPN protocol radius

accounting-mode simultaneous

aaa-server VPN host 172.20.20.11

key XXX

aaa-server VPN host 172.20.20.12

key XXX

aaa-server my-group protocol tacacs+

aaa-server my-group host 172.20.20.11

key XXXX

aaa authentication telnet console my-group LOCAL

aaa authentication enable console my-group LOCAL

aaa authorization command my-group LOCAL

aaa accounting command privilege 15 my-group

Note: Also I have RADIUS as same ACS for my VPN access and I add it as RADIUS client with different key. Moreover I could not see any failed logs on ACS. It works fine with local authorization.

Can you tell me why I cant authenticate and authorize with TACACS+ server.

Thanks in advance

813
Views
0
Helpful
4
Replies