topic Re: Problem with TACACS+ using ASA5545, ACS 5.4 in Network Access Control

Problem with TACACS+ using ASA5545, ACS 5.4

deanlee10 — Mon, 11 Mar 2019 03:26:21 GMT

I am trying to access an ASA 5545 using TACACS+. I have the ASA configured as follows:

aaa-server tacacs+ protocol tacacs+

aaa-server tacacs+ (inside) host 10.x.x.x

timeout 15

key *****

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication telnet console tacacs+ LOCAL

aaa authentication ssh console tacacs+ LOCAL

aaa authenticaiton http console tacacs+ LOCAL

aaa authorization command tacacs+ LOCAL

aaa authorization exec authentication-server

I have added the ASA in ACS with the correct IP and the correct key.

When I try to test the authentication via test aaa-server authentication tacacs+ host 10.x.x.x username cisco password cisco, I get:

ERROR: Authentication Server not responding: No error.

Any ideas on how to fix this issue and allow tacacs authentication when logging into the ASA?

Problem with TACACS+ using ASA5545, ACS 5.4

Jatin Katyal — Wed, 15 May 2013 17:13:50 GMT

could you please turn on the debugs:

debug tacacs

debug aaa authentication.

also, are you able to ping the server using inside interface.

Provide show aaa-server output as well.

Jatin Katyal
- Do rate helpful posts -

Re: Problem with TACACS+ using ASA5545, ACS 5.4

deanlee10 — Wed, 15 May 2013 17:42:26 GMT

yes, can ping successfully.

ASA # ping 10.x.x.x

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.x.x.x, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ASA# show aaa-server Server Group: LOCAL

Server Protocol: Local database

Server Address: None

Server port: None

Server status: ACTIVE, Last transaction at 17:33:50 UTC Wed May 15 2013

Number of pending requests 0

Average round trip time 0ms

Number of authentication requests 255

Number of authorization requests 39

Number of accounting requests 0

Number of retransmissions 0

Number of accepts 274

Number of rejects 20

Number of challenges 0

Number of malformed responses 0

Number of bad authenticators 0

Number of timeouts 0

Number of unrecognized responses 0

Server Group: tacacs+

Server Protocol: tacacs+

Server Address: 10.x.x.x

Server port: 49

Server status: FAILED, Server disabled at 17:33:30 UTC Wed May 15 2013

Number of pending requests 0

Average round trip time 0ms

Number of authentication requests 10

Number of authorization requests 6

Number of accounting requests 0

Number of retransmissions 0

Number of accepts 0

Number of rejects 0

Number of challenges 0

Number of malformed responses 0

Number of bad authenticators 0

Number of timeouts 16

Number of unrecognized responses 0

Re: Problem with TACACS+ using ASA5545, ACS 5.4

Jatin Katyal — Wed, 15 May 2013 17:50:27 GMT

Can we check the debugs as well.

Do add the following changes:

aaa-server tacacs+ protocol tacacs+

no aaa-server tacacs+ (inside) host 10.x.x.x

aaa-server tacacs+ (inside) host 10.x.x.x

reactivation-mode timed

exit

Jatin Katyal

- Do rate helpful posts -

Re: Problem with TACACS+ using ASA5545, ACS 5.4

deanlee10 — Wed, 15 May 2013 18:04:22 GMT

There is no output when I enter turn debugging on.

I entered the commands you recommeneded. No change.

Re: Problem with TACACS+ using ASA5545, ACS 5.4

minkumar — Wed, 15 May 2013 18:16:55 GMT

Hi Dean

Can you run the following command:

#term mon

take debugs and share the output.

Regards

Minakshi ( do rate the helpful posts:

Re: Problem with TACACS+ using ASA5545, ACS 5.4

deanlee10 — Thu, 16 May 2013 18:14:20 GMT

Hello,

I was able to get the tacacs working, however, now I am unable to enter the privilege level. My tacacs account is privilege level 15. Also, now my local username/password does not work to get into the device. Anyway to get back in and also to solve the "enable" issue?

Re: Problem with TACACS+ using ASA5545, ACS 5.4

minkumar — Thu, 16 May 2013 18:34:51 GMT

Hi Dean,

Check in the passed authentication, which shell profile is being used by the user and push default privilege 15 under ACS 5.4.

It should work.

Regards

Minakshi (Do rate the helpful posts )

Re: Problem with TACACS+ using ASA5545, ACS 5.4

Jatin Katyal — Thu, 16 May 2013 18:36:32 GMT

In order to access the security appliance you have to type enable followed by enable password unlike IOS devices. There you can land directly to privilege exec mode. Now, If your local credentials are not working than in that case my question would be; Is your tacacs still up and running? If yes, than it would always hit the tacacs at very first place and get failed. It will never check the local database. In order to test that tacacs should not be accessible.

Jatin Katyal

- Do rate helpful posts -

Re: Problem with TACACS+ using ASA5545, ACS 5.4

deanlee10 — Thu, 16 May 2013 18:57:35 GMT

Tacacs server is up and running. Verified local credentials still work when tacacs is disabled.

What kind of problems could I be running into where I can login to the device via tacacs, but cannot enable to privilege exec mode using the same tacacs password?

Re: Problem with TACACS+ using ASA5545, ACS 5.4

Jatin Katyal — Thu, 16 May 2013 19:38:02 GMT

you will not be able to access the device and execute the commands from privelege exec command. Why would you not be able to access using enable password if it's configured as to use as PAP password on tacacs 4.2

Jatin Katyal

- Do rate helpful posts -

Re: Problem with TACACS+ using ASA5545, ACS 5.4

deanlee10 — Thu, 16 May 2013 20:12:13 GMT

I think there is a miscommunication:

The goal is for me to be able to ssh into the device using my tacacs credentials, which I can do.

I then want to be able to type "enable" and be prompted for my tacacs password, which I would then enter to access privilege exec mode, This is the part I am having problems with. I am currently unable to enter privilege exec mode with my tacacs password. If this is not possible, then that's fine, I can access it with the local password, but I am looking for help to be able to accomplish this.

Re: Problem with TACACS+ using ASA5545, ACS 5.4

Jatin Katyal — Thu, 16 May 2013 20:31:54 GMT

what tacacs server are you using? If acs 4.x, check reports and activity ...you must be getting "enable privilege is too low" (Most probable error)...after that you can go inside the user/group setup and set the enable privilege 15 under tacas+ settings.

Jatin Katyal

- Do rate helpful posts -

Re: Problem with TACACS+ using ASA5545, ACS 5.4

deanlee10 — Fri, 17 May 2013 12:56:59 GMT

As stated in the title, I am using ACS 5.4.

When I check the monitoring and reporting, I am getting the following error:

13031 TACACS+ authentication request missing user Password

Description:

The TACACS+ authentication request did not provide a user password

Resolution Steps:

The device is sending a TACACS+ authentication request that is missing informatino needed by ACS. Check the device to verify it is working properly and has up-to-date software.

The device is working properly and has up-to-date software.

Re: Problem with TACACS+ using ASA5545, ACS 5.4

Jatin Katyal — Fri, 17 May 2013 13:10:16 GMT

Dean, My bad I missed that part.

You would like to use enable password same as tacacs password. However, the command you have in ASA checking the enable password against asa local enable password.

can we replace this command

aaa authentication enable console LOCAL

with

aaa authentication enable console tacacs+ LOCAL

Let me know how it goes.

Jatin Katyal

- Do rate helpful posts -

Re: Problem with TACACS+ using ASA5545, ACS 5.4

deanlee10 — Fri, 17 May 2013 13:53:41 GMT

Jatin,

The 'aaa authentication enable console tacacs+ LOCAL' is currently on the device. I had it on the old command when I was still having problems even accessing the device via tacacs/ssh. Based on the failure code in the previous reply, it seems like ACS is having trouble communicating with the ASA when it needs to authenticate the enable password - it's as if when you enter the password on the ASA, it's not getting all the way to the ACS to authenticate. Is this just an error between the ACS version and the ASA software version?

Re: Problem with TACACS+ using ASA5545, ACS 5.4

Jatin Katyal — Fri, 17 May 2013 14:10:31 GMT

I actually recreated with ACS 5.4 and ASA 8.4(5) and its working fine.

ciscoasa# sh run aaa

aaa authentication telnet console TACACS LOCAL

aaa authentication ssh console TACACS LOCAL

aaa authentication enable console TACACS LOCAL

aaa accounting command privilege 15 TACACS

from policy elements

Jatin Katyal

- Do rate helpful posts -

Re: Problem with TACACS+ using ASA5545, ACS 5.4

deanlee10 — Fri, 17 May 2013 14:23:36 GMT

I also have the max privilege for the shell profile set to static/15. The ASA I am running has 9.1(1). Maybe there is a bug in the code?

Re: Problem with TACACS+ using ASA5545, ACS 5.4

Jatin Katyal — Fri, 17 May 2013 14:33:57 GMT

hmm...you must have already checked but make sure we are hitting the right authorization rule in the accesspolicy.

from access-policy

Jatin Katyal

- Do rate helpful posts -

Re: Problem with TACACS+ using ASA5545, ACS 5.4

deanlee10 — Fri, 17 May 2013 15:55:45 GMT

Jatin,

I don't know why this is the case, but when the ACS admin created my account, instead of creating a new account, he duplicated his account. For some reason this made it so I couldn't enable using my tacacs. He deleted my account and created it from scratch. This fixed the issue.