Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

TACACS Authentication not working with ASA

I have an ACS 4.1 Windows server running TACACS. It si working on all devices within the enterprise except for one new ASA at a remote site. There is no NAT going on or anything and the ASA can ping the ACS box and the ACS box can ping the ASA.

I added the configuration below but the authentication fails and no requests come to the ACS server

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ host 10.x.x.x

key password

aaa authentication ssh console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authentication http console TACACS+ LOCAL

Any help would be greatly appreciated

7 REPLIES

Re: TACACS Authentication not working with ASA

Hi,

Is there any FW device in between which may be blocking the TACACS ports ?

Also run this test on the ASA box :-

myASA# test aaa-server authentication TACACS+ host 10.x.x.x

New Member

Re: TACACS Authentication not working with ASA

There are no firewalls in between the devices, I ran the test command and recieved the following:

ERROR: Authentication Server not responding: No error

Re: TACACS Authentication not working with ASA

Just to confirm - did you add the ASA box as AAA client on the ACS server and are you using the same KEY here in the ASA config?

New Member

Re: TACACS Authentication not working with ASA

hey can somebody help me also, iam also having the same probelm.

Re: TACACS Authentication not working with ASA

Please check shared secret key. Remember NDG key overwrites aaa client key.

Make sure acs should have correct ip address of asa in network configuration.

Do you see any hits on acs failed or passed attempts ? Also try increasing the tacacs timeout to 15 sec.

Gold

Re: TACACS Authentication not working with ASA

make sure the address you've added to ACS is the one the ASA is communicating from - in this case, it should be the interface closest to the ACS device.

New Member

Re: TACACS Authentication not working with ASA

The ASA which is experiencing issues connects to the subnet the ACS box is on over a IPSec tunnel. There are numerous other ASA configured just like this and they are configured with the inside IP address on the ACS server.

1812
Views
0
Helpful
7
Replies