topic Re: HTTP authentication problem using Tacacs in Network Security

HTTP authentication problem using Tacacs

madhusudhan s — Mon, 11 Mar 2019 17:18:41 GMT

Hi All,

I want to use SSH and HTTP to get authentication through ACS server.

i am facing issue with only http authentication through ACS(Tacacs+).

when try to connect ASDM using tacacs+ authentication, the A/C gets locked in radius server.

At the same time SSh works fine

ACS is mapped with RADIUS.

I have attached the HTTP and SSh related config

======================

aaa-server Two-Factor protocol tacacs+
aaa-server Two-Factor (Layer-3) host Cisco-ACS key abcd

aaa authentication enable console LOCAL

aaa authentication http console Two-Factor
aaa authentication ssh console Two-Factor

ssh Vikram_Shetty 255.255.255.255 Layer-3

http Vikram_Shetty 255.255.255.255 Layer-3

========================================

Also attached the some troubleshooting output which i done, not sure if the method is correct.

I tried checking packet tracer and found the user PC with port http to acs ip on port http is getting droped due to ACL.

packet-tracer input layer-3 tcp 10.26.14.50 http 10.26.11.134 ht$

Phase: 1
Type: FLOW-LOOKUP
Subtype:
Result: ALLOW
Config:
Additional Information:
Found no matching flow, creating a new flow

Phase: 2
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   Layer-3_All     255.255.248.0   Layer-3

Phase: 3
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in   Layer-3_All     255.255.248.0   Layer-3

Phase: 4
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Forward Flow based lookup yields rule:
in id=0x54d99b8, priority=111, domain=permit, deny=true
        hits=6077, user_data=0x0, cs_id=0x0, flags=0x4000, protocol=0
        src ip=0.0.0.0, mask=0.0.0.0, port=0
        dst ip=0.0.0.0, mask=0.0.0.0, port=0, dscp=0x0

Result:
input-interface: Layer-3
input-status: up
input-line-status: up
output-interface: Layer-3
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule

===========================================

to open ASDM https is being used.

Please let me know if i am not clear..need help to trace the root cause.

Regards

Amar

Re: HTTP authentication problem using Tacacs

Federico Coto Fajardo — Tue, 09 Mar 2010 20:18:06 GMT

Hi,

The result is clear according to Packet Tracer...

The connection is being denied by the ACL.

Troubleshooting step:

Check the ACL applied to the interface where you're coming from, and make sure that such traffic is being permitted.

Question: Is this traffic intended to the ASA itself or through the ASA?

Federico.

Re: HTTP authentication problem using Tacacs

Kureli Sankar — Tue, 09 Mar 2010 20:45:39 GMT

Does asdm access work without the ACS with just local credentials?

aaa authen http console LOCAL

username blah password blah priv 15

Give it a shot and let us know.

Also, post the output of "sh run http"

-KS

Re: HTTP authentication problem using Tacacs

madhusudhan s — Wed, 10 Mar 2010 04:08:22 GMT

Hi,

yes the http(asdm) work fine with local credential.

I have attached http configuration in first log.

Regards

Amar

Re: HTTP authentication problem using Tacacs

madhusudhan s — Wed, 10 Mar 2010 04:31:32 GMT

Hi,

Question: Is this traffic intended to the ASA itself or through the ASA ?

Ans: Http allowed subnet are in one zone and the ACS/Radius in other zone.

Is what you are asking, I am not very clear with above query.. Pls elaborate..

regards

Amar

Re: HTTP authentication problem using Tacacs

Federico Coto Fajardo — Wed, 10 Mar 2010 16:27:17 GMT

I was asking if the http connection is directed to the ASA itself or thorugh the ASA (but seems that is to the ASA since you're attempting to access asdm.

Still seems that the outside ACL is blocking the traffic. Have you verified this?

On previous versions of ASA software, the ACL on an interface applied only to traffic passing through the ASA (not traffic directed to it), but now you can apply the ACL to both scenarios.

Also the output of the ''sh run http'' will let us know if you have any other restrictions.

Federico.