topic tacacs+ authentication problem in Network Security

tacacs+ authentication problem

Colin Higgins — Tue, 12 Mar 2019 02:35:55 GMT

I have a ASA services module running in a 6500

I have configured a firewalled vlan for management (172.25.50.x) and applied a permissive access list inbound and outbound to it

I added the ASA as a client on the Cisco ACS (tacacs) server and double-checked the key

The ACS server can ping the firewall, and the firewall can ping the ACS server.

I've issued the following commands on the ASA

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (mgmt) host 172.25.32.80 <key> timeout 5

aaa authentication ssh console TACACS+

username <user> password <password> priv 15

when I ssh to the ASA, the firewall is not using tacacs+. It is using the local database instead.

There is no activity i the ACS logs

So the firewall isn't even attempting to use tacacs+

Is there something I am missing here?

Julio Carvajal — Mon, 09 Sep 2013 20:11:34 GMT

Hello Colin,

Can you share

show run ssh

show run aaa

show run aaa-server

test aaa-server TACACS+

172.25.32.80

username whatever

password whatever

And provide the outputs

For more information about Core and Security Networking follow my website at http://laguiadelnetworking.com

Any question contact me at jcarvaja@laguiadelnetworking.com

Cheers,

Julio Carvajal Segura

Colin Higgins — Tue, 10 Sep 2013 18:23:41 GMT

When I did the test aaa-server it worked, and I realized I forgot to add

aaa authentication enable console TACACS+

to the ASA

this made everything work correctly. Thanks for your help!

Julio Carvajal — Tue, 10 Sep 2013 18:48:00 GMT

Hello Colin,

So it was a problem with the enable password and not with the SSH authentication

Glad to know its up and running now