Problem with "aaa authentication match" command configuration

govind346 — Mon, 11 Mar 2019 22:21:53 GMT

Hi Experts,

I am facing problem while a configure below command in my ASA firewall-

aaa authentication match access-list01 PROD Radius-server

it throughs below error-

Hybrid configurations using 'match' and 'include|exclude' are not supported

Usage: [no] aaa mac-exempt match <mac-list-id>

[no] aaa authentication secure-http-client

[no] aaa authentication listener http|https <if_name> [port <port>] [redirect]

[no] aaa authentication|authorization|accounting include|exclude <svc>

<if_name> <l_ip> <l_mask> [<f_ip> <f_mask>] <server_tag>

[no] aaa authentication serial|telnet|ssh|http|enable console

<server_tag> [LOCAL]

[no] aaa accounting telnet|ssh|serial|enable console <server_tag>

[no] aaa authentication|authorization|accounting match

<access_list_name> <if_name> <server_tag>

[no] aaa authorization command {LOCAL | <tacacs_server_tag> [LOCAL]}

[no] aaa authorization exec authentication-server

[no] aaa accounting command {privilege <level>} <tacacs_server_tag>

[no] aaa proxy-limit <proxy limit> | disable

[no] aaa local authentication attempts max-fail <fail-attempts>

clear configure aaa

clear aaa local user {fail-attempts|lockout} {all | username <uname>}}

show running-config [all] aaa [authentication|authorization|accounting

|max-exempt|proxy-limit]

show aaa local user [lockout]

Pls note that PROD interface is in lower security level-

DVCI-UTS-FW-5520(config)# sh nameif

Interface Name Security

GigabitEthernet0/0 PROD 5

GigabitEthernet0/1 INSIDE 10

DVCI-UTS-FW-5520(config)# sh ver

Cisco Adaptive Security Appliance Software Version 8.3(1)

Device Manager Version 6.3(1)

Compiled on Thu 04-Mar-10 16:56 by builders

System image file is "disk0:/asa831-k8.bin"

Config file at boot was "startup-config"

Can someone through some light what is wrong i am doing?

Thnx

Govind

Problem with "aaa authentication match" command configuration

Richard Burts — Mon, 06 Feb 2012 13:16:14 GMT

Govind

Can you post the output of show access-list access-list01

HTH

Rick

Problem with "aaa authentication match" command configuration

Julius Thor Bess Rikhardsson — Thu, 15 Mar 2012 11:28:49 GMT

Hello,

You have another line in your config that reads:

aaa authentication include xxxxx

You can not use both "aaa authentication include" and "aaa authentication match" as they cannot coexist in the config.

From Cisco Site:

"To enable authorization for traffic that is specified by an access list, use the aaa authorization match command. You cannot use the match command in the same configuration as the include and exclude commands. We suggest that you use the match command instead of the include and exclude commands; the include and exclude commands are not supported by ASDM."

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1537397

topic Problem with "aaa authentication match" command configuration in Network Security

Problem with "aaa authentication match" command configuration

Problem with "aaa authentication match" command configuration

Problem with "aaa authentication match" command configuration