Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
579
Views
5
Helpful
2
Replies

AAA authentication issue

rcsco2011
Level 1
Level 1

‎03-17-2013 10:37 PM - edited ‎03-10-2019 08:12 PM

Dear All

i am running ASA5520 security appliance and have trouble to login to this device

we have used 2 ACS servers for example xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy

first priority is xxx.xxx.xxx.xxx and yyy.yyy.yyy.yyy is backup

recently we have removed xxx.xxx.xxx.xxx ACS server and running only yyy.yyy.yyy.yyy server for authentication

but after remove primary ACS server, i can not login to the ASA

real configuration is as below

aaa-server TACACS_NETWORK protocol tacacs+

aaa-server ACS protocol tacacs+

aaa-server ACS (inside) host xxx.xxx.xxx.xxx

key xxxxxxxx

aaa-server ACS (inside) host yyy.yyy.yyy.yyy

key yyyyyyyy

aaa authentication telnet console ACS LOCAL

aaa authentication http console ACS LOCAL

aaa authentication ssh console ACS LOCAL

aaa authentication enable console ACS LOCAL

aaa local authentication attempts max-fail 3

i think that my account should be authenticated using secondary ACS server yyy.yyy.yyy.yyy

but failed.

somebody help me to fix this issue or if password recovery is necessary, could you please summarize brief step??

Thank you

Labels:
0 Helpful
2 Replies 2

kcnajaf
Level 7
Level 7

‎03-17-2013 10:55 PM

Hi,

Are you seeing any logs on the ACS? Which version of ACS are you using?

Also verify if the ASA has been added as the aaa client on the secondory ACS box.

Also if you have console access to the ASA you can verify aaa authetication with below commands.

test aaa-server authentication ACS username xxxx password xxxx

Regards

Najaf

Please rate when applicable or helpful !!!

0 Helpful

maldehne
Cisco Employee
Cisco Employee

‎03-17-2013 11:31 PM

First of all verify that your ASA is failing over to the secondary server upon  no response from the primary.

You can run tacacs+ debugs while trying to authenticate .

Also you need to check the ACS logs to verify if there is any attempt from your ASA.

Sometimes if you forgot to add your ASA as aaa client you might see messages

indicating bad request from Unknown NAS, this should give you a powerful indicator

that you need to add the ASA as AAA client. Sometimes there  might be an issue

with the shared key , so you have to make sure that the shared key for your ASA on

the secondary is the same.

-------------------------------------------------------------------------------

Please make sure to rate correct answers

Customers Also Viewed These Support Documents