https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359308#M224427 <HTML><HEAD></HEAD><BODY><P> I dont have any issue connecting VPN. SSL VPN is configured in that ASA only. VPN is connected but couldnt SSH ASA</P></BODY></HTML> Mon, 28 Oct 2013 09:16:05 GMT nirmalkumar 2013-10-28T09:16:05Z https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359305#M224418 <P>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; All, Im facing very strange issue with my TACACS authentication. Normaly i connect my DC via SSL Anyconnect VPN then access all the Network devices, but since last week when i try to connect ASA i couldnt log in. I have user name in ACS server and the password authentication would redirect to RSA server. I can access other devices using my TACACS username and RSA passcode, but not only the ASA box. As rest of my team member can still access the ASA with their userid and passcode i dont think any issue in ASA box.</P><P></P><P>The error log message in ACS server is ACS user unknown.&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; </P> Mon, 11 Mar 2019 04:02:23 GMT https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359305#M224418 nirmalkumar 2019-03-11T04:02:23Z https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359306#M224421 <HTML><HEAD></HEAD><BODY><P>If rest of your team can access the vpn via same ASA and ACS then yes could be an issues with user account itself.</P><P></P><P>Can you locate your account on the ACS. Please verify.</P><P>What ACS/Tacacs server are you using?</P><P>If you have your account there then please try delete and add it again.</P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Mon, 28 Oct 2013 08:50:42 GMT https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359306#M224421 Jatin Katyal 2013-10-28T08:50:42Z https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359307#M224424 <HTML><HEAD></HEAD><BODY><P> Hello Jatin,</P><P></P><P>Yes I can see my username and its mapped to correct Group as well. I can even access other devices in DC with same username and RSA passcode. Im facing issue only with this ASA box. If there is some issue in ASA then other team member couldnt access but they can.</P><P></P><P>When i see the failed authentication log in ACS it show ACS user unknown and the group is default</P></BODY></HTML> Mon, 28 Oct 2013 09:15:00 GMT https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359307#M224424 nirmalkumar 2013-10-28T09:15:00Z https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359308#M224427 <HTML><HEAD></HEAD><BODY><P> I dont have any issue connecting VPN. SSL VPN is configured in that ASA only. VPN is connected but couldnt SSH ASA</P></BODY></HTML> Mon, 28 Oct 2013 09:16:05 GMT https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359308#M224427 nirmalkumar 2013-10-28T09:16:05Z https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359309#M224432 <HTML><HEAD></HEAD><BODY><P>So you can use the same username and passcode to rest of network devices while connected through vpn and when you ssh to your ASA, it prompts you for username / passcode then shows authentication failed. On the ACS when you check the failed attempts you see "ACS username unknown" and group appear as default.</P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Mon, 28 Oct 2013 09:47:19 GMT https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359309#M224432 Jatin Katyal 2013-10-28T09:47:19Z https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359310#M224440 <HTML><HEAD></HEAD><BODY><P> Yes exactly.</P><P></P><P>FYI..SSL is configured in that ASA only, i dont have any issue connecting VPN, facing issue only with the management traffic. Rest of my team member can access the ASA box with their username and passcode, they are also in same Group</P><P></P><P>NOTE : ACS verison is Cisco ACS 4.2</P></BODY></HTML> Mon, 28 Oct 2013 09:52:13 GMT https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359310#M224440 nirmalkumar 2013-10-28T09:52:13Z https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359311#M224445 <HTML><HEAD></HEAD><BODY><P>Weird <SPAN __jive_emoticon_name="confused" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/tiny_mce3/plugins/jiveemoticons/images/spacer.gif"></SPAN> ...f<SPAN style="font-size: 10pt;">or testing purpose, can you add new user account to the same group and check. If that works, t</SPAN><SPAN style="font-size: 10pt;">ry to delete your user account from ACS and re-add for testing purpose.</SPAN></P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Mon, 28 Oct 2013 09:56:01 GMT https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359311#M224445 Jatin Katyal 2013-10-28T09:56:01Z https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359312#M224453 <HTML><HEAD></HEAD><BODY><P>I need to access ACS via SSL vpn with the TACACS credentials, if i delete and re-configure will it break the VPN connetion?</P></BODY></HTML> Mon, 28 Oct 2013 10:00:49 GMT https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359312#M224453 nirmalkumar 2013-10-28T10:00:49Z https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359313#M224462 <HTML><HEAD></HEAD><BODY><P> Jatin,</P><P></P><P>I did what you said. i created a new&nbsp; userid and selected Password authentication for ACS internal database and manually assigned password. When i try to conncet SSL it was successful and also I can access all other device with new usrname and static password except that ASA.</P></BODY></HTML> Mon, 28 Oct 2013 10:13:05 GMT https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359313#M224462 nirmalkumar 2013-10-28T10:13:05Z https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359314#M224473 <HTML><HEAD></HEAD><BODY><P>Do you see the same error for the new userid as well.</P><P></P><P>Please attach show run from the ASA.</P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Mon, 28 Oct 2013 10:16:15 GMT https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359314#M224473 Jatin Katyal 2013-10-28T10:16:15Z https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359315#M224484 <HTML><HEAD></HEAD><BODY><P> Yes same error.</P><P></P><P>I cant access that ASA to get the running config. Accessing that remotely</P></BODY></HTML> Mon, 28 Oct 2013 10:19:32 GMT https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359315#M224484 nirmalkumar 2013-10-28T10:19:32Z https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359316#M224494 <HTML><HEAD></HEAD><BODY><P>To me it seems the shared secret being used on ASA to communicate with tacacs is mis-matched and that's a reason you&nbsp; are getting "ACS user unknown". This should be a problem all users who are trying to do ssh on ASA and authenticating against tacacs server. Why share-secret could be an issue because the shared secret being used to encrypt the packet is not same while decryption and that's why we are seeing unknown username.</P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Mon, 28 Oct 2013 12:34:22 GMT https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359316#M224494 Jatin Katyal 2013-10-28T12:34:22Z https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359317#M224510 <HTML><HEAD></HEAD><BODY><P> If that is the case how come rest of my team member can access the device? Will this type of issue can affect single userid?</P></BODY></HTML> Mon, 28 Oct 2013 12:40:02 GMT https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359317#M224510 nirmalkumar 2013-10-28T12:40:02Z https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359318#M224531 <HTML><HEAD></HEAD><BODY><P>My reasoning based on the last test we did with the new users. Other users also should not have access if shared secret is mismatched. However, it would be worth looking at shared secret on both the sides because unknown users only comes as an error.</P><P></P><P>1.] If we don't have user created in the defined database.</P><P>2.] Shared secret is wrong due to that ACS is looking up for a different user.</P><P></P><P></P><P>~BR <BR />Jatin Katyal <BR /> <BR />**Do rate helpful posts**</P></BODY></HTML> Mon, 28 Oct 2013 13:28:54 GMT https://community.cisco.com/t5/network-access-control/acs-user-unknown-though-username-in-server/m-p/2359318#M224531 Jatin Katyal 2013-10-28T13:28:54Z