cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1710
Views
0
Helpful
4
Replies

issue with one of our ASAs authenticating

jackleung
Level 1
Level 1

one of our ASAs is having problems authenticating against our tacacs server. We can run the test authentication feature fine and the ASA can ping the server. However when I try to authenticate I see this in the log:

4 Aug 28 2007 09:30:31 409023 Attempting AAA Fallback method LOCAL for Authentication request for user [someuser] : Auth-server group [acsserver] unreachable

On the ACS server I don't see any failed attmpets on the logs. All of our other devices work fine including a few other ASAs. Th eonly difference with this guy is that its running 8.0 software. I double checked the shared key and its okay (well it should be fine since I can run the test fine). Any ideas?

4 Replies 4

Jagdeep Gambhir
Level 10
Level 10

Jack,

Do you see any hits on acs passed attempts ? Try increasing tacacs timeout and see if that makes any difference.

Regards,

~JG

I took a look at those logs. I see the hits when I run the test authentication from the ASA (I'm logged in locally as fallback at the moment) but when I try to login as normal with my AD creds I dont see any hits.

kcaskey
Level 1
Level 1

Could this be related to Cisco bug ID CSCsk08454?

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsk08454

There is supposedly a fix but I'm not having much luck implementing it myself...

pemasirid
Level 1
Level 1

Hi Jack,

Hoped you solved the issue with AAA authorization in your ASA. I have simmilar issue with my ASA.

I configured AAA authorization in firewall but it works only for local username/password. PIX version 7.2(2) and ACS-SE 4.1.

Here is my configurations

XXX-PIX515(config)# sh run aaa-server

aaa-server VPN protocol radius

accounting-mode simultaneous

aaa-server VPN host 172.20.20.11

key XXX

aaa-server VPN host 172.20.20.12

key XXX

aaa-server my-group protocol tacacs+

aaa-server my-group host 172.20.20.11

key XXXX

aaa authentication telnet console my-group LOCAL

aaa authentication enable console my-group LOCAL

aaa authorization command my-group LOCAL

aaa accounting command privilege 15 my-group

Note: Also I have RADIUS as same ACS for my VPN access and I add it as RADIUS client with different key. Moreover I could not see any failed logs on ACS. It works fine with local authorization.

Can you tell me why I cant authenticate and authorize with TACACS+ server.

Thanks in advance

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: