topic Re: Firewall AAA configuration in Network Security

Firewall AAA configuration

Steven Williams — Fri, 21 Feb 2020 16:39:14 GMT

Does the aaa commands/configuration copy to standby firewall? I can't seem to get to my secondary ASA.

Message Text	Failed-Attempt: Session Authorization encountered an error
Failure Reason	15020 Could not find selected Shell Profiles
Resolution	Add a shell profile to the result of the rule, or modify the rule condition so that this rule is not selected for session authorisation
Root Cause	Could not find selected Shell Profiles
Username	stevenwilliams

Re: Firewall AAA configuration

Sheraz.Salim — Fri, 11 Jan 2019 15:48:30 GMT

hmm..... they should be.

stupid question does your asa configured with active standby ip addresses?

Re: Firewall AAA configuration

Steven Williams — Fri, 11 Jan 2019 15:55:34 GMT

Yes they do. I can ping the standby and get a login prompt but nothing works, but the primary works fine and a wr standby doesnt seem to fix the issue.

Re: Firewall AAA configuration

Sheraz.Salim — Fri, 11 Jan 2019 16:50:03 GMT

What ASA code on it?

Re: Firewall AAA configuration

Steven Williams — Fri, 11 Jan 2019 18:56:47 GMT

9.6

Re: Firewall AAA configuration

Sheraz.Salim — Fri, 11 Jan 2019 18:58:55 GMT

curious does the ISE in network devices have a standby ip address of this ASA?

Re: Firewall AAA configuration

Steven Williams — Fri, 11 Jan 2019 21:15:47 GMT

Yes since thats how I grabbed that log I posted. Its from ISE.

Re: Firewall AAA configuration

Sheraz.Salim — Fri, 11 Jan 2019 21:24:09 GMT

Run 'test aaa-server authentication ' on the Standby unit and check what the reason for the failure is.
Enable 'debug aaa authentication' on the Standby unit and watch the output when you try to authenticate.

Re: Firewall AAA configuration

Steven Williams — Fri, 11 Jan 2019 21:25:19 GMT

don't have the ability till I can get someone onsite to console it for me. wont allow access via ssh or http.

Re: Firewall AAA configuration

Marvin Rhoads — Sun, 13 Jan 2019 05:17:28 GMT

ISE seems to indicate that the Authorization result is looking for an undefined shell profile.

Does the detail report from ISE Live logs shed any more light?

Re: Firewall AAA configuration

Marius Gunnerud — Sun, 13 Jan 2019 15:50:32 GMT

I agree with Marvin here that there is an issue with the ISE authorization profile configuration, however it is a bit strange that you are unable to access the secondary ASA via SSH or HTTPS. Have you tried to power-cycle the standby ASA?

Re: Firewall AAA configuration

Steven Williams — Mon, 14 Jan 2019 16:56:26 GMT

The ISE authorization profile is fine since it works on the primary ASA and uses the same auth profile. It just seems like the standby ASA didnt get the aaa commands on the wr standby.

Re: Firewall AAA configuration

Sheraz.Salim — Mon, 14 Jan 2019 17:04:53 GMT

I agree with @Steven Williams. As he done all from the active ASA to figure out what could be the issue.

thanks for the update.

Re: Firewall AAA configuration

Marius Gunnerud — Mon, 14 Jan 2019 17:11:10 GMT

You do know you can check the configuration on the standby ASA from the primary ASA, right?

for example you can issue the following command to se the AAA configuration on the standby

failover exec standby show run aaa

As long as failover is configured correctly I am having a hard time believing there is an issue with the configuration on the standby device. I am leaning towards either a process that is hanging on the standby which will be solved by rebooting the standby device, or an issue with configuration on ISE.