topic Hi,I would request you to in Network Security

Why cannot tacacs users access failover ASA ?

wfqk — Wed, 13 Mar 2019 01:08:23 GMT

Dear All

We set up failover ASA. but the tacacs users cannot access failover ASA5555 ? when the user access the ASA, the password do not work. In order to solve the problem, I create new username in the ASA, and then the new user can access the ASA. At same time, tacacs users can access other devices, which means tacacs ACS is working well. Any one can give me some suggestion ? Thank you

Hi,Can you share with us the

Vibhor Amrodia — Wed, 10 Jun 2015 14:38:38 GMT

Hi,

Can you share with us the ASA AAA configuration please ? From the looks of the issue , it seems that the AAA authentication is only looking at the LOCAL database and not TACACS

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor,Thank you so much

wfqk — Wed, 10 Jun 2015 19:53:33 GMT

Hi Vibhor,

Thank you so much for your reply. Right, the AAA authentication is only looking at the LOCAL database and not TACACS. The below is failover and SSH configuration, which I simplified since it is for production. Please let me know if you need any info.

--------------------------------------------

interface GigabitEthernet0/0

description "Connections to C1 eth8/20"

channel-group 1 mode on

no nameif

no security-level

no ip address

interface GigabitEthernet0/1

description "Connections to C1 eth8/21"

channel-group 1 mode on

no nameif

no security-level

no ip address

interface GigabitEthernet0/2

description "Connections to C1 eth8/22"

channel-group 1 mode on

no nameif

no security-level

no ip address

interface GigabitEthernet0/3

description "Connections to C1 eth8/23"

channel-group 1 mode on

no nameif

no security-level

no ip address

interface GigabitEthernet0/7

description LAN Failover Interface

interface Management0/0

management-only

nameif management

security-level 100

ip address 10.20.10.65 255.255.255.0 standby 10.20.10.66

interface Port-channel1

description EtherChannel to C1

no nameif

no security-level

no ip address

interface Port-channel1.2

description Outside to Internet 215.113.16.0/24

shutdown

vlan 20

nameif outside

security-level 0

ip address 215.113.16.250 255.255.255.0 standby 215.113.16.251

interface Port-channel1.9

shutdown

vlan 99

nameif inside

security-level 100

ip address 10.20.2.250 255.255.255.0 standby 10.20.2.251

aaa-server tacacs protocol tacacs+

aaa-server tacacs (management) host 10.20.6.10

user-identity default-domain LOCAL

aaa authentication ssh console tacacs LOCAL

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

----------------------------

I used the command --- crypto key generate rsa modulus 1024, but show run does not show it

Hi,I would request you to

Vibhor Amrodia — Thu, 11 Jun 2015 16:56:28 GMT

Hi,

I would request you to check the status of the TACACS server on the ASA device ?

Also , try to test the username and password against the TACACS and see if it works ?

show aaa-server

test aaa authentication <server name> username password

Thanks and Regards,

Vibhor Amrodia