Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our test area to get started. And see here for current known issues.

New Member

Problem with "aaa authentication match" command configuration

Hi Experts,

I am facing problem while a configure below command in my ASA firewall-

aaa authentication match access-list01 PROD Radius-server

it throughs below error-

Hybrid configurations using 'match' and 'include|exclude' are not supported

Usage: [no] aaa mac-exempt match <mac-list-id>

        [no] aaa authentication secure-http-client

        [no] aaa authentication listener http|https <if_name> [port <port>] [redirect]

        [no] aaa authentication|authorization|accounting include|exclude <svc>

                <if_name> <l_ip> <l_mask> [<f_ip> <f_mask>] <server_tag>

        [no] aaa authentication serial|telnet|ssh|http|enable console

                <server_tag> [LOCAL]

        [no] aaa accounting telnet|ssh|serial|enable console <server_tag>

        [no] aaa authentication|authorization|accounting match

                <access_list_name> <if_name> <server_tag>

        [no] aaa authorization command {LOCAL | <tacacs_server_tag> [LOCAL]}

        [no] aaa authorization exec authentication-server

        [no] aaa accounting command {privilege <level>} <tacacs_server_tag>

        [no] aaa proxy-limit <proxy limit> | disable

        [no] aaa local authentication attempts max-fail <fail-attempts>

        clear configure aaa

        clear aaa local user {fail-attempts|lockout} {all | username <uname>}}

        show running-config [all] aaa [authentication|authorization|accounting


        show aaa local user [lockout] 

Pls note that PROD interface is in lower security level-

DVCI-UTS-FW-5520(config)# sh nameif

Interface                Name                     Security

GigabitEthernet0/0       PROD                       5

GigabitEthernet0/1       INSIDE                        10

DVCI-UTS-FW-5520(config)# sh ver

Cisco Adaptive Security Appliance Software Version 8.3(1)

Device Manager Version 6.3(1)

Compiled on Thu 04-Mar-10 16:56 by builders

System image file is "disk0:/asa831-k8.bin"

Config file at boot was "startup-config"

Can someone through some light what is wrong i am doing?



  • Firewalling
Hall of Fame Super Silver

Problem with "aaa authentication match" command configuration


Can you post the output of show access-list access-list01



Problem with "aaa authentication match" command configuration


You have another line in your config that reads:

aaa authentication include xxxxx

You can not use both "aaa authentication include" and "aaa authentication match" as they cannot coexist in the config.

From Cisco Site:

"To enable authorization for traffic that is specified by an access list, use the aaa authorization match command. You cannot use the match command in the same configuration as the include and exclude commands. We suggest that you use the match command instead of the include and exclude commands; the include and exclude commands are not supported by ASDM."