Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
5684
Views
0
Helpful
2
Replies

TACACS+ SSH authentication to ASA Fo problem

Go to solution
cisabucho
Level 1
Level 1

‎10-05-2010 02:47 AM - edited ‎03-10-2019 05:27 PM

Dear,

I manage an ASA 5540 Active/Failover pair. SSH authentication is done through TACACS+ to ACS 4.2 located in the same VLAN as the inside interface of the firewalls. I have added both firewalls on to the ACS using their inside interface IP addresses (using the active and standby addresses). I can succesfully authenticate and login to the Active ASA without any problem. But on the standby ASA, I get SSH prompt but I could not login. When I see the failed attempts log under the ACS, I see "Unknown NAS" listed for the standby ASA. How can I solve this problem?

best regards,

Abebe Amare

Network Engineer, VivaCell

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Rudresh Veerappaji
Cisco Employee
Cisco Employee

‎10-05-2010 05:05 AM

Hi Abebe,

On the secondary ASA, please check the following:

sh failover    ---> and make sure the secondary is in standby ready and not failed.

sh aaa-server    ----> check the output and see if the ASA has marked the tacacs server as "UP" and exchange of packets.

Enable follwoing debugs and run a test authentication as mentioned:

debug aaa authentication

debug tacacs

debug ssh

test aaa-server authentication host   username "insert name" password "insert password"

Provide me the debugs after taking out your username in it so that i can analyze.

Cheers,

Rudresh V

View solution in original post

0 Helpful
2 Replies 2

Go to solution
Rudresh Veerappaji
Cisco Employee
Cisco Employee

‎10-05-2010 05:05 AM

Hi Abebe,

On the secondary ASA, please check the following:

sh failover    ---> and make sure the secondary is in standby ready and not failed.

sh aaa-server    ----> check the output and see if the ASA has marked the tacacs server as "UP" and exchange of packets.

Enable follwoing debugs and run a test authentication as mentioned:

debug aaa authentication

debug tacacs

debug ssh

test aaa-server authentication host   username "insert name" password "insert password"

Provide me the debugs after taking out your username in it so that i can analyze.

Cheers,

Rudresh V

0 Helpful

Go to solution
cisabucho
Level 1
Level 1
In response to Rudresh Veerappaji

‎10-05-2010 06:39 AM

Dear Rudresh,

When I do a sh aaa-server I got the following:

ASA-01# sh aaa-server
Server Group:    ACS
Server Protocol: tacacs+
Server Address:  192.168.x.xx
Server port:     49
Server status:   ACTIVE, Last transaction at unknown
Number of pending requests              0
Average round trip time                 0ms
Number of authentication requests       0
Number of authorization requests        0
Number of accounting requests           0
Number of retransmissions               0
Number of accepts                       0
Number of rejects                       0
Number of challenges                    0
Number of malformed responses           0
Number of bad authenticators            0
Number of timeouts                      0
Number of unrecognized responses        0

This made me to double check the configuration. I define the same ACS server twice with different name and protocol (once for RADIUS to authenticate VPN sessions and the other for TACACS+ to authenticate device access). So it turned out I put the wrong server name under ssh authentication.

Thanks for pointing me in the right direction and I give you full marks.

best regards,

Abebe Amare

0 Helpful
Customers Also Viewed These Support Documents