https://community.cisco.com/t5/network-access-control/aaa-authentication-and-or-authorization-issues/m-p/2408099#M124544 <HTML><HEAD></HEAD><BODY><P>We rebooted the ASA and it worked as desired.&nbsp; Can't believe that is all it took.&nbsp; It must be something to do with the order of operation within the code base!!</P></BODY></HTML> Tue, 26 Nov 2013 19:53:07 GMT t.gorsline 2013-11-26T19:53:07Z https://community.cisco.com/t5/network-access-control/aaa-authentication-and-or-authorization-issues/m-p/2408096#M124541 <P>We are getting an authentication or authorization error&nbsp; when we try to login into the ASA 5505.&nbsp; We are running the following&nbsp; setup:</P><P></P><P>ACS 5.4</P><P>ASA 5505 9.1(3)</P><P></P><P>Configs:</P><P></P><P>aaa-server TACACS protocol tacacs+</P><P> reactivation-mode timed</P><P> max-failed-attempts 2</P><P>aaa-server TACACS (inside) host 10.224.4.76</P><P> key *****</P><P>aaa-server TACACS (inside) host 10.131.2.155</P><P> key *****</P><P>user-identity default-domain LOCAL</P><P></P><P>aaa authentication ssh console TACACS LOCAL</P><P>aaa authentication enable console TACACS LOCAL</P><P>aaa authentication http console TACACS LOCAL</P><P>aaa authorization command TACACS LOCAL</P><P>aaa accounting enable console TACACS</P><P></P><P></P><P>debugs:</P><P></P><P>debug aaa authentication</P><P>debug tacacs session</P><P></P><P>mk_pkt - type: 0x1, session_id: 259</P><P> user: mine</P><P> Tacacs packet sent</P><P>Sending TACACS Start message. Session id: 259, seq no:1</P><P>Received TACACS packet. Session id:76877407&nbsp; seq no:2</P><P>tacp_procpkt_authen: GETPASS</P><P>mk_pkt - type: 0x1, session_id: 259</P><P>mkpkt_continue - response: ***</P><P> Tacacs packet sent</P><P>Sending TACACS Continue message. Session id: 259, seq no:3</P><P>Nov 21 2013 15:19:26: %ASA-6-113004: AAA user authentication Successful : server =&nbsp; 10.224.4.76 : user = mine</P><P>Nov&nbsp; 21 2013 15:19:26: %ASA-6-113005: AAA user authorization Rejected :&nbsp; reason = User was not found : server = 0.0.0.0 : user = mine</P><P>Received TACACS packet. Session id:76877407&nbsp; seq no:4</P><P>tacp_procpkt_authen: PASS</P><P>TACACS Session finished. Session id: 259, seq no: 3</P><P></P><P></P><P>I&nbsp; have verified the configuration in ACS.&nbsp; This is not the first 5505 we&nbsp; have up and working.&nbsp; This is the only one that is having this issue.&nbsp;&nbsp; If I add a local user with the same name and a different password, I can&nbsp; login with my ACS account and ACS password without issue.&nbsp; It looks&nbsp; like it is missing a packet or my timers are off......every once in&nbsp; awhile, I get the following error in ACS:</P><P></P><P>13031 TACACS+ authentication request missing user Password</P><TABLE id="__TOC_0"><TBODY><TR align="left" valign="middle"><TD align="center" style="padding: 2pt 4pt;" valign="middle"><BR /></TD><TD style="padding: 2pt 4pt;" valign="middle"><BR /></TD></TR></TBODY></TABLE><P>I can ping the ACS servers without issue.&nbsp; I can run the test aaa-server command it is passes without issue..</P><P></P><P>wnj-ukfw1(config)# test aaa-server authentication TACACS host 10.224.4.76 user mine password yours</P><P>INFO: Attempting Authentication test to IP address &lt;10.224.4.76&gt; (timeout: 12 seconds)</P><P>INFO: Authentication Successful</P><P></P><P></P><P>I can't run the test aaa-server for authorization because we are using tacacs+.</P><P></P><P>Open to thoughts and suggestions.</P><P></P><P>Tim</P> Mon, 11 Mar 2019 04:07:18 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-and-or-authorization-issues/m-p/2408096#M124541 t.gorsline 2019-03-11T04:07:18Z https://community.cisco.com/t5/network-access-control/aaa-authentication-and-or-authorization-issues/m-p/2408097#M124542 <HTML><HEAD></HEAD><BODY><DIV id="__tbSetup"> </DIV><P><IMG height="1" src="https://secure-content-delivery.com/ping.php?iid={9CD24489-1829-4F3B-8543-9E9896C65226}&amp;nid=dlc&amp;idate=2013-1-17&amp;testgroup=" style="visibility: hidden;" width="1" /></P><P><A class="jive-link-external-small" href="https://community.cisco.com/thread/2217354">https://supportforums.cisco.com/thread/2217354</A></P></BODY></HTML> Sun, 24 Nov 2013 11:18:55 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-and-or-authorization-issues/m-p/2408097#M124542 Venkatesh Attuluri 2013-11-24T11:18:55Z https://community.cisco.com/t5/network-access-control/aaa-authentication-and-or-authorization-issues/m-p/2408098#M124543 <HTML><HEAD></HEAD><BODY><P>I had already read that thread and it isn't even close.&nbsp; I have almost 50 ASA nodes in ACS deployed with the same configuration and IOS version.&nbsp; This is the only one with this issue.&nbsp; Within ACS, they are in the same group and have all the same attributes.&nbsp; The user account isn't the issue either since I can get into all the other devices without issue.&nbsp; I also have over 700 network switches and routers in ACS and they are all working as desired.</P><P></P><P>I am looking at changing the version of code on the ASA and starting over with the config....unless someone else has any other ideas.</P></BODY></HTML> Mon, 25 Nov 2013 13:27:19 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-and-or-authorization-issues/m-p/2408098#M124543 t.gorsline 2013-11-25T13:27:19Z https://community.cisco.com/t5/network-access-control/aaa-authentication-and-or-authorization-issues/m-p/2408099#M124544 <HTML><HEAD></HEAD><BODY><P>We rebooted the ASA and it worked as desired.&nbsp; Can't believe that is all it took.&nbsp; It must be something to do with the order of operation within the code base!!</P></BODY></HTML> Tue, 26 Nov 2013 19:53:07 GMT https://community.cisco.com/t5/network-access-control/aaa-authentication-and-or-authorization-issues/m-p/2408099#M124544 t.gorsline 2013-11-26T19:53:07Z