01-31-2012 07:39 AM - edited 03-11-2019 03:21 PM
Hi Experts,
I am facing problem while a configure below command in my ASA firewall-
aaa authentication match access-list01 PROD Radius-server
it throughs below error-
Hybrid configurations using 'match' and 'include|exclude' are not supported
Usage: [no] aaa mac-exempt match <mac-list-id>
[no] aaa authentication secure-http-client
[no] aaa authentication listener http|https <if_name> [port <port>] [redirect]
[no] aaa authentication|authorization|accounting include|exclude <svc>
<if_name> <l_ip> <l_mask> [<f_ip> <f_mask>] <server_tag>
[no] aaa authentication serial|telnet|ssh|http|enable console
<server_tag> [LOCAL]
[no] aaa accounting telnet|ssh|serial|enable console <server_tag>
[no] aaa authentication|authorization|accounting match
<access_list_name> <if_name> <server_tag>
[no] aaa authorization command {LOCAL | <tacacs_server_tag> [LOCAL]}
[no] aaa authorization exec authentication-server
[no] aaa accounting command {privilege <level>} <tacacs_server_tag>
[no] aaa proxy-limit <proxy limit> | disable
[no] aaa local authentication attempts max-fail <fail-attempts>
clear configure aaa
clear aaa local user {fail-attempts|lockout} {all | username <uname>}}
show running-config [all] aaa [authentication|authorization|accounting
|max-exempt|proxy-limit]
show aaa local user [lockout]
Pls note that PROD interface is in lower security level-
DVCI-UTS-FW-5520(config)# sh nameif
Interface Name Security
GigabitEthernet0/0 PROD 5
GigabitEthernet0/1 INSIDE 10
DVCI-UTS-FW-5520(config)# sh ver
Cisco Adaptive Security Appliance Software Version 8.3(1)
Device Manager Version 6.3(1)
Compiled on Thu 04-Mar-10 16:56 by builders
System image file is "disk0:/asa831-k8.bin"
Config file at boot was "startup-config"
Can someone through some light what is wrong i am doing?
Thnx
Govind
02-06-2012 05:16 AM
Govind
Can you post the output of show access-list access-list01
HTH
Rick
03-15-2012 04:28 AM
Hello,
You have another line in your config that reads:
aaa authentication include xxxxx
You can not use both "aaa authentication include" and "aaa authentication match" as they cannot coexist in the config.
From Cisco Site:
"To enable authorization for traffic that is specified by an access list, use the aaa authorization match command. You cannot use the match command in the same configuration as the include and exclude commands. We suggest that you use the match command instead of the include and exclude commands; the include and exclude commands are not supported by ASDM."
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1537397
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: