10-28-2013 01:32 AM - edited 03-10-2019 09:02 PM
All, Im facing very strange issue with my TACACS authentication. Normaly i connect my DC via SSL Anyconnect VPN then access all the Network devices, but since last week when i try to connect ASA i couldnt log in. I have user name in ACS server and the password authentication would redirect to RSA server. I can access other devices using my TACACS username and RSA passcode, but not only the ASA box. As rest of my team member can still access the ASA with their userid and passcode i dont think any issue in ASA box.
The error log message in ACS server is ACS user unknown.
10-28-2013 01:50 AM
If rest of your team can access the vpn via same ASA and ACS then yes could be an issues with user account itself.
Can you locate your account on the ACS. Please verify.
What ACS/Tacacs server are you using?
If you have your account there then please try delete and add it again.
~BR
Jatin Katyal
**Do rate helpful posts**
10-28-2013 02:15 AM
Hello Jatin,
Yes I can see my username and its mapped to correct Group as well. I can even access other devices in DC with same username and RSA passcode. Im facing issue only with this ASA box. If there is some issue in ASA then other team member couldnt access but they can.
When i see the failed authentication log in ACS it show ACS user unknown and the group is default
10-28-2013 02:16 AM
I dont have any issue connecting VPN. SSL VPN is configured in that ASA only. VPN is connected but couldnt SSH ASA
10-28-2013 02:47 AM
So you can use the same username and passcode to rest of network devices while connected through vpn and when you ssh to your ASA, it prompts you for username / passcode then shows authentication failed. On the ACS when you check the failed attempts you see "ACS username unknown" and group appear as default.
~BR
Jatin Katyal
**Do rate helpful posts**
10-28-2013 02:52 AM
Yes exactly.
FYI..SSL is configured in that ASA only, i dont have any issue connecting VPN, facing issue only with the management traffic. Rest of my team member can access the ASA box with their username and passcode, they are also in same Group
NOTE : ACS verison is Cisco ACS 4.2
10-28-2013 02:56 AM
Weird ...for testing purpose, can you add new user account to the same group and check. If that works, try to delete your user account from ACS and re-add for testing purpose.
~BR
Jatin Katyal
**Do rate helpful posts**
10-28-2013 03:00 AM
I need to access ACS via SSL vpn with the TACACS credentials, if i delete and re-configure will it break the VPN connetion?
10-28-2013 03:13 AM
Jatin,
I did what you said. i created a new userid and selected Password authentication for ACS internal database and manually assigned password. When i try to conncet SSL it was successful and also I can access all other device with new usrname and static password except that ASA.
10-28-2013 03:16 AM
Do you see the same error for the new userid as well.
Please attach show run from the ASA.
~BR
Jatin Katyal
**Do rate helpful posts**
10-28-2013 03:19 AM
Yes same error.
I cant access that ASA to get the running config. Accessing that remotely
10-28-2013 05:34 AM
To me it seems the shared secret being used on ASA to communicate with tacacs is mis-matched and that's a reason you are getting "ACS user unknown". This should be a problem all users who are trying to do ssh on ASA and authenticating against tacacs server. Why share-secret could be an issue because the shared secret being used to encrypt the packet is not same while decryption and that's why we are seeing unknown username.
~BR
Jatin Katyal
**Do rate helpful posts**
10-28-2013 05:40 AM
If that is the case how come rest of my team member can access the device? Will this type of issue can affect single userid?
10-28-2013 06:28 AM
My reasoning based on the last test we did with the new users. Other users also should not have access if shared secret is mismatched. However, it would be worth looking at shared secret on both the sides because unknown users only comes as an error.
1.] If we don't have user created in the defined database.
2.] Shared secret is wrong due to that ACS is looking up for a different user.
~BR
Jatin Katyal
**Do rate helpful posts**
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: