https://community.cisco.com/t5/network-access-control/tacacs-ssh-authentication-to-asa-fo-problem/m-p/1513248#M297054 <P>Dear,</P><P></P><P>I manage an ASA 5540 Active/Failover pair. SSH authentication is done through TACACS+ to ACS 4.2 located in the same VLAN as the inside interface of the firewalls. I have added both firewalls on to the ACS using their inside interface IP addresses (using the active and standby addresses). I can succesfully authenticate and login to the Active ASA without any problem. But on the standby ASA, I get SSH prompt but I could not login. When I see the failed attempts log under the ACS, I see "Unknown NAS" listed for the standby ASA. How can I solve this problem?</P><P></P><P>best regards,</P><P></P><P>Abebe Amare</P><P>Network Engineer, VivaCell</P> Mon, 11 Mar 2019 00:27:59 GMT cisabucho 2019-03-11T00:27:59Z https://community.cisco.com/t5/network-access-control/tacacs-ssh-authentication-to-asa-fo-problem/m-p/1513248#M297054 <P>Dear,</P><P></P><P>I manage an ASA 5540 Active/Failover pair. SSH authentication is done through TACACS+ to ACS 4.2 located in the same VLAN as the inside interface of the firewalls. I have added both firewalls on to the ACS using their inside interface IP addresses (using the active and standby addresses). I can succesfully authenticate and login to the Active ASA without any problem. But on the standby ASA, I get SSH prompt but I could not login. When I see the failed attempts log under the ACS, I see "Unknown NAS" listed for the standby ASA. How can I solve this problem?</P><P></P><P>best regards,</P><P></P><P>Abebe Amare</P><P>Network Engineer, VivaCell</P> Mon, 11 Mar 2019 00:27:59 GMT https://community.cisco.com/t5/network-access-control/tacacs-ssh-authentication-to-asa-fo-problem/m-p/1513248#M297054 cisabucho 2019-03-11T00:27:59Z https://community.cisco.com/t5/network-access-control/tacacs-ssh-authentication-to-asa-fo-problem/m-p/1513249#M297079 <HTML><HEAD></HEAD><BODY><P>Hi Abebe,</P><P></P><P>On the secondary ASA, please check the following:</P><P></P><P>sh failover&nbsp;&nbsp;&nbsp; ---&gt; and make sure the secondary is in standby ready and not failed.</P><P>sh aaa-server&nbsp;&nbsp;&nbsp; ----&gt; check the output and see if the ASA has marked the tacacs server as "UP" and exchange of packets.</P><P>Enable follwoing debugs and run a test authentication as mentioned:</P><P></P><P>debug aaa authentication</P><P>debug tacacs</P><P>debug ssh</P><P></P><P><SPAN class="questionBody">test aaa-server authentication <TACACS> host <SERVER ip="">&nbsp; username "insert name" password "insert password"</SERVER></TACACS></SPAN></P><P></P><P>Provide me the debugs after taking out your username in it so that i can analyze.</P><P></P><P>Cheers,</P><P>Rudresh V</P></BODY></HTML> Tue, 05 Oct 2010 12:05:02 GMT https://community.cisco.com/t5/network-access-control/tacacs-ssh-authentication-to-asa-fo-problem/m-p/1513249#M297079 Rudresh Veerappaji 2010-10-05T12:05:02Z https://community.cisco.com/t5/network-access-control/tacacs-ssh-authentication-to-asa-fo-problem/m-p/1513250#M297123 <HTML><HEAD></HEAD><BODY><P>Dear Rudresh,</P><P></P><P>When I do a sh aaa-server I got the following:</P><P>ASA-01# sh aaa-server<BR />Server Group:&nbsp;&nbsp;&nbsp; ACS<BR />Server Protocol: tacacs+<BR />Server Address:&nbsp; 192.168.x.xx<BR />Server port:&nbsp;&nbsp;&nbsp;&nbsp; 49<BR />Server status:&nbsp;&nbsp; ACTIVE, Last transaction at unknown<BR />Number of pending requests&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />Average round trip time&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0ms<BR />Number of authentication requests&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />Number of authorization requests&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />Number of accounting requests&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />Number of retransmissions&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />Number of accepts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />Number of rejects&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />Number of challenges&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />Number of malformed responses&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />Number of bad authenticators&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />Number of timeouts&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0<BR />Number of unrecognized responses&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; 0</P><P></P><P>This made me to double check the configuration. I define the same ACS server twice with different name and protocol (once for RADIUS to authenticate VPN sessions and the other for TACACS+ to authenticate device access). So it turned out I put the wrong server name under ssh authentication.</P><P></P><P>Thanks for pointing me in the right direction and I give you full marks.</P><P></P><P>best regards,</P><P></P><P>Abebe Amare</P></BODY></HTML> Tue, 05 Oct 2010 13:39:39 GMT https://community.cisco.com/t5/network-access-control/tacacs-ssh-authentication-to-asa-fo-problem/m-p/1513250#M297123 cisabucho 2010-10-05T13:39:39Z