Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results forĀ 
Search instead forĀ 
Did you mean:Ā 
cancel
Start a conversation
318
Views
0
Helpful
3
Replies

tacacs+ authentication problem

Go to solution
Colin Higgins
Level 2
Level 2

ā€Ž09-09-2013 12:53 PM - edited ā€Ž03-11-2019 07:35 PM

I have a ASA services module running in a 6500

I have configured a firewalled vlan for management (172.25.50.x) and applied a permissive access list inbound and outbound to it

I added the ASA as a client on the Cisco ACS (tacacs) server and double-checked the key

The ACS server can ping the firewall, and the firewall can ping the ACS server.

I've issued the following commands on the ASA

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (mgmt) host 172.25.32.80 <key> timeout 5

aaa authentication ssh console TACACS+

username <user> password <password> priv 15

when I ssh to the ASA, the firewall is not using tacacs+. It is using the local database instead.

There is no activity i the ACS logs

So the firewall isn't even attempting to use tacacs+

Is there something I am missing here?

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

ā€Ž09-09-2013 01:11 PM

Hello Colin,

Can you share

show run ssh

show run aaa

show run aaa-server

test aaa-server  TACACS+

172.25.32.80

username whatever

password whatever

And provide the outputs

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

ā€Ž09-09-2013 01:11 PM

Hello Colin,

Can you share

show run ssh

show run aaa

show run aaa-server

test aaa-server  TACACS+

172.25.32.80

username whatever

password whatever

And provide the outputs

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
Colin Higgins
Level 2
Level 2
In response to Julio Carvajal

ā€Ž09-10-2013 11:23 AM

When I did the test aaa-server it worked, and I realized I forgot to add

aaa authentication enable console TACACS+

to the ASA

this made everything work correctly. Thanks for your help!

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to Colin Higgins

ā€Ž09-10-2013 11:48 AM

Hello Colin,

So it was a problem with the enable password and not with the SSH authentication

Glad to know its up and running now

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card