Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1001
Views
0
Helpful
2
Replies

Problem with "aaa authentication match" command configuration

govind346
Level 1
Level 1

‎01-31-2012 07:39 AM - edited ‎03-11-2019 03:21 PM

Hi Experts,

I am facing problem while a configure below command in my ASA firewall-

aaa authentication match access-list01 PROD Radius-server

it throughs below error-

Hybrid configurations using 'match' and 'include|exclude' are not supported

Usage: [no] aaa mac-exempt match <mac-list-id>

        [no] aaa authentication secure-http-client

        [no] aaa authentication listener http|https <if_name> [port <port>] [redirect]

        [no] aaa authentication|authorization|accounting include|exclude <svc>

                <if_name> <l_ip> <l_mask> [<f_ip> <f_mask>] <server_tag>

        [no] aaa authentication serial|telnet|ssh|http|enable console

                <server_tag> [LOCAL]

        [no] aaa accounting telnet|ssh|serial|enable console <server_tag>

        [no] aaa authentication|authorization|accounting match

                <access_list_name> <if_name> <server_tag>

        [no] aaa authorization command {LOCAL | <tacacs_server_tag> [LOCAL]}

        [no] aaa authorization exec authentication-server

        [no] aaa accounting command {privilege <level>} <tacacs_server_tag>

        [no] aaa proxy-limit <proxy limit> | disable

        [no] aaa local authentication attempts max-fail <fail-attempts>

        clear configure aaa

        clear aaa local user {fail-attempts|lockout} {all | username <uname>}}

        show running-config [all] aaa [authentication|authorization|accounting

                |max-exempt|proxy-limit]

        show aaa local user [lockout] 

Pls note that PROD interface is in lower security level-

DVCI-UTS-FW-5520(config)# sh nameif

Interface                Name                     Security

GigabitEthernet0/0       PROD                       5

GigabitEthernet0/1       INSIDE                        10

DVCI-UTS-FW-5520(config)# sh ver

Cisco Adaptive Security Appliance Software Version 8.3(1)

Device Manager Version 6.3(1)

Compiled on Thu 04-Mar-10 16:56 by builders

System image file is "disk0:/asa831-k8.bin"

Config file at boot was "startup-config"

Can someone through some light what is wrong i am doing?

Thnx

Govind

Labels:
0 Helpful
2 Replies 2

Richard Burts
Hall of Fame
Hall of Fame

‎02-06-2012 05:16 AM

Govind

Can you post the output of show access-list access-list01

HTH

Rick

HTH

Rick
0 Helpful

Julius Thor Bess Rikhardsson
Level 1
Level 1

‎03-15-2012 04:28 AM

Hello,

You have another line in your config that reads:

aaa authentication include xxxxx

You can not use both "aaa authentication include" and "aaa authentication match" as they cannot coexist in the config.

From Cisco Site:

"To enable authorization for traffic that is specified by an access list, use the aaa authorization match command. You cannot use the match command in the same configuration as the include and exclude commands. We suggest that you use the match command instead of the include and exclude commands; the include and exclude commands are not supported by ASDM."

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1537397

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card