Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Switches and Routers can authenticate through ASA5520

routers & Switches (outside zone) can't authenticate using ACS (inside zone)

even if i permit any any

i can telnet to ACS port 49 , i can also ping to ACS

but there is no failed or passed attempt is coming from devices in outside Zone

4 REPLIES
Community Member

Re: Switches and Routers can authenticate through ASA5520

Have you added the devices in the in the ACS. Also, have you conigured AAA on the routers and switches on the outside. A config of these will help answer better.

Hall of Fame Super Gold

Re: Switches and Routers can authenticate through ASA5520

Raman

If I understand the post from Mohammed correctly there are no failed attempts reported. If the issue were that they were not configured in ACS then there would be entries in the failed attempt log - indicating attempts from an unknown host.

Asking to see some configs from devices that do not work is a very reasonable thing. It would allow us to see if there were issues that might prevent authentication. And it would allow us to see if the source interface is specified. Mohammed says that he can telnet to the server on port 49 which demonstrates that there is IP connectivity using the default choice of interface. I would like to see if that is the same interface that AAA is using.

If there are no failed attempts reported then that implies that either the firewall is denying the requests (which Mohammed implies is not the case) or they are not being sent from the router, or they are being misdirected. If seeing the configs does not point toward a solution perhaps the output of debug tacacs authentication would be helpful.

HTH

Rick

Community Member

Re: Switches and Routers can authenticate through ASA5520

actually , there is no failed or passed attempt at ACS server

the router is choosing to authenticate locally , like if it is can't see the ACS.

but why it can't see the ACS?

Hall of Fame Super Gold

Re: Switches and Routers can authenticate through ASA5520

As I suggested in my previous post:

If there are no failed attempts reported then that implies that either the firewall is denying the requests (which Mohammed implies is not the case) or they are not being sent from the router, or they are being misdirected. If seeing the configs does not point toward a solution perhaps the output of debug tacacs authentication would be helpful.

Please post configs or post debug output.

HTH

Rick

150
Views
0
Helpful
4
Replies
CreatePlease to create content