Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

TACACS+ SSH authentication to ASA Fo problem

Dear,

I manage an ASA 5540 Active/Failover pair. SSH authentication is done through TACACS+ to ACS 4.2 located in the same VLAN as the inside interface of the firewalls. I have added both firewalls on to the ACS using their inside interface IP addresses (using the active and standby addresses). I can succesfully authenticate and login to the Active ASA without any problem. But on the standby ASA, I get SSH prompt but I could not login. When I see the failed attempts log under the ACS, I see "Unknown NAS" listed for the standby ASA. How can I solve this problem?

best regards,

Abebe Amare

Network Engineer, VivaCell

  • AAA Identity and NAC
Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: TACACS+ SSH authentication to ASA Fo problem

Hi Abebe,

On the secondary ASA, please check the following:

sh failover    ---> and make sure the secondary is in standby ready and not failed.

sh aaa-server    ----> check the output and see if the ASA has marked the tacacs server as "UP" and exchange of packets.

Enable follwoing debugs and run a test authentication as mentioned:

debug aaa authentication

debug tacacs

debug ssh

test aaa-server authentication host   username "insert name" password "insert password"

Provide me the debugs after taking out your username in it so that i can analyze.

Cheers,

Rudresh V

2 REPLIES
Cisco Employee

Re: TACACS+ SSH authentication to ASA Fo problem

Hi Abebe,

On the secondary ASA, please check the following:

sh failover    ---> and make sure the secondary is in standby ready and not failed.

sh aaa-server    ----> check the output and see if the ASA has marked the tacacs server as "UP" and exchange of packets.

Enable follwoing debugs and run a test authentication as mentioned:

debug aaa authentication

debug tacacs

debug ssh

test aaa-server authentication host   username "insert name" password "insert password"

Provide me the debugs after taking out your username in it so that i can analyze.

Cheers,

Rudresh V

New Member

Re: TACACS+ SSH authentication to ASA Fo problem

Dear Rudresh,

When I do a sh aaa-server I got the following:

ASA-01# sh aaa-server
Server Group:    ACS
Server Protocol: tacacs+
Server Address:  192.168.x.xx
Server port:     49
Server status:   ACTIVE, Last transaction at unknown
Number of pending requests              0
Average round trip time                 0ms
Number of authentication requests       0
Number of authorization requests        0
Number of accounting requests           0
Number of retransmissions               0
Number of accepts                       0
Number of rejects                       0
Number of challenges                    0
Number of malformed responses           0
Number of bad authenticators            0
Number of timeouts                      0
Number of unrecognized responses        0

This made me to double check the configuration. I define the same ACS server twice with different name and protocol (once for RADIUS to authenticate VPN sessions and the other for TACACS+ to authenticate device access). So it turned out I put the wrong server name under ssh authentication.

Thanks for pointing me in the right direction and I give you full marks.

best regards,

Abebe Amare

3386
Views
0
Helpful
2
Replies