I manage an ASA 5540 Active/Failover pair. SSH authentication is done through TACACS+ to ACS 4.2 located in the same VLAN as the inside interface of the firewalls. I have added both firewalls on to the ACS using their inside interface IP addresses (using the active and standby addresses). I can succesfully authenticate and login to the Active ASA without any problem. But on the standby ASA, I get SSH prompt but I could not login. When I see the failed attempts log under the ACS, I see "Unknown NAS" listed for the standby ASA. How can I solve this problem?
ASA-01# sh aaa-server Server Group: ACS Server Protocol: tacacs+ Server Address: 192.168.x.xx Server port: 49 Server status: ACTIVE, Last transaction at unknown Number of pending requests 0 Average round trip time 0ms Number of authentication requests 0 Number of authorization requests 0 Number of accounting requests 0 Number of retransmissions 0 Number of accepts 0 Number of rejects 0 Number of challenges 0 Number of malformed responses 0 Number of bad authenticators 0 Number of timeouts 0 Number of unrecognized responses 0
This made me to double check the configuration. I define the same ACS server twice with different name and protocol (once for RADIUS to authenticate VPN sessions and the other for TACACS+ to authenticate device access). So it turned out I put the wrong server name under ssh authentication.
Thanks for pointing me in the right direction and I give you full marks.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...