cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2808
Views
0
Helpful
10
Replies

AAA and ASA issue

Hi Team

Once I configured the ASA AAA commands , hence I am not able to do any command including the show commands , And following message came once I accessed through serial through SSH..

 
Fallback authorization. Username 'enable_15' not in LOCAL database

 

For more information Following are AAA configuration in the ASA.   


aaa authentication enable console TACACS-SERVER LOCAL
aaa authentication http console TACACS-SERVER LOCAL
aaa authentication ssh console TACACS-SERVER LOCAL
aaa authorization command TACACS-SERVER LOCAL

 

 

 

10 REPLIES 10

Adeolu Owokade
Beginner
Beginner

Hi Mohammad,

It has to do with the command authorization you enabled.

Do you have any AAA server configured under the TACACS-SERVER server-group? It seems the ASA tries to contact the TACACS-SERVER for command authorization and it fails so it falls back to the LOCAL database.

Since you configured these commands after logging in via SSH, the ASA tries to perform command authorization for the "enable_15" username and it fails because there is no username like that in the LOCAL database.

Do you have access to the ASA via some other means? What kind of TACACS+ server are you using?

Dear Adeolu/Jatin

I have created the username enable_15 with privilege 15 in both contexts with no luck; I would thank you for your prompt response.

Since I  configured a couple of boxes in A/A mode ( CTX-1 active in the first ASA and standby in the second ASA, Then CTX-2 is Active in second ASA and standby in the first ASA)  I did following as troubleshooting and have doubt why IPs ( 10.32.0.1 and 10.32.0.12) are reachable but IPs( 10.32.0.2 and 10.32.0.11) are not reachable at all, even 10.32.0.11 is in active mode and this may occurring this issue.. For more information first box have no errors once I access the box through serial but the second box have the message of  once I accessed through serial...

 

(Fallback authorization. Username 'enable_15' not in LOCAL database)

Following are the troubleshooting done.

First box ( CTX-1) :

First-ASA-CONTEXT-1# show failover
Failover On
Last Failover at: 01:05:08 UTC Mar 12 2015
        This context: Active
                Active time: 9701 (sec)
                  Interface VLAN812-IN (10.32.0.1): Normal (Not-Monitored)

 

Peer context: Standby Ready
                Active time: 0 (sec)
                  Interface VLAN812-IN (10.32.0.2): Normal (Not-Monitored)

 

First-ASA-CONTEXT-1#sh run int po8.812

interface Port-channel8.812
 nameif VLAN812-IN
 security-level 100
 ip address 10.32.100.1 255.255.255.0 standby 10.32.100.2

 

First-ASA-CONTEXT-1 # sh ip add   
System IP Addresses:
Interface                             Name                   IP address      Subnet mask     Method
Port-channel8.812        VLAN812-IN             10.32.0.1     255.255.255.0   CONFIG

Current IP Addresses:
Interface                             Name                   IP address      Subnet mask     Method
Port-channel8.812        VLAN812-IN             10.32.0.1      255.255.255.0   CONFIG

________________________________________________________________

 

Second box,

 

Second- ASA( CTX-2)# show failover
Failover On
Last Failover at: 01:07:26 UTC Mar 12 2015
        This context: Standby Ready
                Active time: 137 (sec)
                  Interface VLAN812-IN (10.32.0.12): Normal (Not-Monitored)

        Peer context: Active
                Active time: 9657 (sec)
                  Interface VLAN812-IN (10.32.0.11): Normal (Not-Monitored)

 

Second- ASA( CTX-2)# sh run int po8.812

interface Port-channel8.812
 nameif VLAN812-IN
 security-level 100
 ip address 10.32.100.11 255.255.255.0 standby 10.32.100.12

 

Second- ASA( CTX-2)# sh ip add   
System IP Addresses:
Interface                             Name                   IP address      Subnet mask     Method
Port-channel8.812        VLAN812-IN             10.32.0.11      255.255.255.0   CONFIG

Current IP Addresses:
Interface                             Name                   IP address      Subnet mask     Method
Port-channel8.812        VLAN812-IN             10.32.0.12      255.255.255.0   CONFIG

 

 

 

Following are TACACS-SERVER  configuration in both boxes :

aaa-server 10.32.0.100 protocol tacacs+
aaa-server TACACS-SERVER protocol tacacs+
aaa-server TACACS-SERVER (VLAN812-IN) host 10.32.0.100

 key *****
user-identity default-domain LOCAL
aaa authentication enable console TACACS-SERVER LOCAL
aaa authentication http console TACACS-SERVER LOCAL
aaa authentication ssh console TACACS-SERVER LOCAL
aaa authorization command TACACS-SERVER LOCAL
aaa accounting command privilege 15 TACACS-SERVER
aaa accounting enable console TACACS-SERVER
aaa accounting ssh console TACACS-SERVER
aaa authorization exec authentication-server

 

Hi Mohammad,

Before dealing with AAA, can you check that your A/A failover configuration is correct? I see something about 10.32.100.X instead of 10.32.0.X in your configuration. Was this a posting error?

Please paste your failover configuration for the system context and the interface configuration for CTX1 and CTX2. You can remove any revealing information.

Hi Andrew,

 

Please find brief  attached for the failover configuration for both ASAs.

Hi Mohammad,

You are sharing interfaces between contexts so you should either have unique MAC addresses or a NAT configuration to help the ASA classify packets per contexts correctly. This link explains more: http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/contexts.html#wp1124172

What version of the ASA are you using? Starting from version 8.5(1), automatic MAC address generation is enabled. Check the MAC addresses on the interface just to be sure.

Hello Adeolu Owokade,

 

I am using the version 9.1, Shared interfaces are enabled and I am using the following command :

 

MAC-ADDRESS AUTO PREFIX 1

 

Since I am configuring this command under the System context , It will replicate to the other ASA but it could be the prefix issue, Is it ?

Hi Mohammad,

I replicated your configuration in a lab environment and I was able to ping all IP addresses, both active and standby.

Perhaps you should troubleshoot why you can't ping those addresses.

 appreciate your efforts Adelou,

I will do further troubleshooting on this case and keep you updated, But I have doubt may be because I created multiple pairs before this sub interface and this may a limitation, If you created more than two or three pairs other than the po8.812 , With different ips will other active and standby kept in reachable scenarios ?

 

 

 

 

Jatin Katyal
Cisco Employee
Cisco Employee

Do you have multiple context configured with command authorization?

It seems that authentication request is failing over to local database and unable to find "enable_15" user in it.  

The solution is to create a username called "enable_15" or use "login".

It's explained here

Regards,

Jatin

~Jatin

Jatin,

 

Can you chime in on another ticket something similar to this one?  Anyconnect Client Certificate from me.  I would like to hear your advisement on the subject.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: