https://community.cisco.com/t5/network-access-control/asa-5520-failover-exec-aaa-authorization-failed/m-p/2165495#M133271 <P>Hello - </P><P></P><P>I have a pair of ASA 5520 firewalls running in active/standby mode on 8.3.2.34 code. My configuration performs authentication/authorization into ACS 5.1, however command authorization is failing when I try to execute a command on the standby from the active unit...</P><P></P><P>failover exec standby dir disk0:/</P><P></P><P>Fallback authorization. Username 'adminuser' not in LOCAL database</P><P>Command authorization failed</P><P></P><P>I don't even see the authentication attempt going into ACS. Any ideas?</P><P></P><P>Thanks!</P><P></P><P>Darren</P> Mon, 11 Mar 2019 03:12:23 GMT Darren Roback 2019-03-11T03:12:23Z https://community.cisco.com/t5/network-access-control/asa-5520-failover-exec-aaa-authorization-failed/m-p/2165495#M133271 <P>Hello - </P><P></P><P>I have a pair of ASA 5520 firewalls running in active/standby mode on 8.3.2.34 code. My configuration performs authentication/authorization into ACS 5.1, however command authorization is failing when I try to execute a command on the standby from the active unit...</P><P></P><P>failover exec standby dir disk0:/</P><P></P><P>Fallback authorization. Username 'adminuser' not in LOCAL database</P><P>Command authorization failed</P><P></P><P>I don't even see the authentication attempt going into ACS. Any ideas?</P><P></P><P>Thanks!</P><P></P><P>Darren</P> Mon, 11 Mar 2019 03:12:23 GMT https://community.cisco.com/t5/network-access-control/asa-5520-failover-exec-aaa-authorization-failed/m-p/2165495#M133271 Darren Roback 2019-03-11T03:12:23Z https://community.cisco.com/t5/network-access-control/asa-5520-failover-exec-aaa-authorization-failed/m-p/2165496#M133317 <HTML><HEAD></HEAD><BODY><P>Here's my AAA configuration:</P><P></P><P>aaa authentication ssh console TACACS LOCAL</P><P>aaa authentication http console TACACS LOCAL</P><P>aaa authentication enable console TACACS LOCAL</P><P>aaa authorization command TACACS LOCAL</P><P>aaa accounting ssh console TACACS</P><P>aaa accounting enable console TACACS</P><P>aaa accounting command TACACS</P><P>aaa authorization exec authentication-server</P></BODY></HTML> Fri, 15 Mar 2013 22:05:09 GMT https://community.cisco.com/t5/network-access-control/asa-5520-failover-exec-aaa-authorization-failed/m-p/2165496#M133317 Darren Roback 2013-03-15T22:05:09Z https://community.cisco.com/t5/network-access-control/asa-5520-failover-exec-aaa-authorization-failed/m-p/2165497#M133345 <HTML><HEAD></HEAD><BODY><P>Darren,</P><P></P><P>This bug looks like it is resolved in version 8.4(1), here is a bug that matches your symptom:</P><P></P><P><A class="jive-link-external-small" href="http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&amp;method=fetchBugDetails&amp;bugId=">http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&amp;method=fetchBugDetails&amp;bugId=</A><A href="https://www.cisco.com/cisco/psn/bssprt/bss?searchType=bstbugidsearch&amp;page=bstBugDetail&amp;BugID=CSCti22636" target="_blank">CSCti22636</A></P><P></P><TABLE border="0" cellpadding="5" cellspacing="2" width="100%"><TBODY><TR><TD colspan="2" style="font-size: 88%; padding: 8px 8px 8px 8px;"><STRONG>"failover exec standby" TACACS+ authorization failure </STRONG> </TD></TR><TR><TD style="font-size: 88%; padding: 0px 8px 8px 8px;" valign="top"><STRONG>Symptom:</STRONG><P></P>Currently Standby ASA uses "enable_1"&nbsp; username for authorization requests when "failover exec standby" command&nbsp; is run on the Active ASA in failover pair. This leads to authorization&nbsp; failures on TACACS+ server unless the "enable_1" user is created there&nbsp; and privilege 15 is granted to this user.<P></P><STRONG><STRONG>Conditions</STRONG>:</STRONG><P></P>This is a limitation of all software releases where the "failover exec standby" feature is implemented.<P></P><STRONG>Workaround:</STRONG><P></P>The workaround is:<BR />- create a user account "enable_1" on TACACS+ server with any random password;<BR />- grant "privilege = 15" and full access on all commands to this user.</TD></TR></TBODY></TABLE><P></P><P></P><P>Thanks,</P><P></P><P></P><P>Tarik Admani <BR />*Please rate helpful posts*</P></BODY></HTML> Mon, 18 Mar 2013 07:32:21 GMT https://community.cisco.com/t5/network-access-control/asa-5520-failover-exec-aaa-authorization-failed/m-p/2165497#M133345 Tarik Admani 2013-03-18T07:32:21Z https://community.cisco.com/t5/network-access-control/asa-5520-failover-exec-aaa-authorization-failed/m-p/4086596#M560448 <P>If your running the REST API on your firewall, this fix exposes the API and will not allow upstream TACACS auth on the API due to the local enable_1 user.</P> Fri, 15 May 2020 13:48:16 GMT https://community.cisco.com/t5/network-access-control/asa-5520-failover-exec-aaa-authorization-failed/m-p/4086596#M560448 NSutfin 2020-05-15T13:48:16Z