Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1070
Views
0
Helpful
13
Replies

ACS user unknown though username in Server

nirmalkumar
Level 1
Level 1

‎10-28-2013 01:32 AM - edited ‎03-10-2019 09:02 PM

            All, Im facing very strange issue with my TACACS authentication. Normaly i connect my DC via SSL Anyconnect VPN then access all the Network devices, but since last week when i try to connect ASA i couldnt log in. I have user name in ACS server and the password authentication would redirect to RSA server. I can access other devices using my TACACS username and RSA passcode, but not only the ASA box. As rest of my team member can still access the ASA with their userid and passcode i dont think any issue in ASA box.

The error log message in ACS server is ACS user unknown.       

Labels:
0 Helpful
13 Replies 13

Jatin Katyal
Cisco Employee
Cisco Employee

‎10-28-2013 01:50 AM

If rest of your team can access the vpn via same ASA and ACS then yes could be an issues with user account itself.

Can you locate your account on the ACS. Please verify.

What ACS/Tacacs server are you using?

If you have your account there then please try delete and add it again.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

nirmalkumar
Level 1
Level 1
In response to Jatin Katyal

‎10-28-2013 02:15 AM

Hello Jatin,

Yes I can see my username and its mapped to correct Group as well. I can even access other devices in DC with same username and RSA passcode. Im facing issue only with this ASA box. If there is some issue in ASA then other team member couldnt access but they can.

When i see the failed authentication log in ACS it show ACS user unknown and the group is default

0 Helpful

nirmalkumar
Level 1
Level 1
In response to nirmalkumar

‎10-28-2013 02:16 AM

I dont have any issue connecting VPN. SSL VPN is configured in that ASA only. VPN is connected but couldnt SSH ASA

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to nirmalkumar

‎10-28-2013 02:47 AM

So you can use the same username and passcode to rest of network devices while connected through vpn and when you ssh to your ASA, it prompts you for username / passcode then shows authentication failed. On the ACS when you check the failed attempts you see "ACS username unknown" and group appear as default.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

nirmalkumar
Level 1
Level 1
In response to Jatin Katyal

‎10-28-2013 02:52 AM

Yes exactly.

FYI..SSL is configured in that ASA only, i dont have any issue connecting VPN, facing issue only with the management traffic. Rest of my team member can access the ASA box with their username and passcode, they are also in same Group

NOTE : ACS verison is Cisco ACS 4.2

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to nirmalkumar

‎10-28-2013 02:56 AM

Weird ...for testing purpose, can you add new user account to the same group and check. If that works, try to delete your user account from ACS and re-add for testing purpose.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

nirmalkumar
Level 1
Level 1
In response to Jatin Katyal

‎10-28-2013 03:00 AM

I need to access ACS via SSL vpn with the TACACS credentials, if i delete and re-configure will it break the VPN connetion?

0 Helpful

nirmalkumar
Level 1
Level 1
In response to Jatin Katyal

‎10-28-2013 03:13 AM

Jatin,

I did what you said. i created a new  userid and selected Password authentication for ACS internal database and manually assigned password. When i try to conncet SSL it was successful and also I can access all other device with new usrname and static password except that ASA.

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to nirmalkumar

‎10-28-2013 03:16 AM

Do you see the same error for the new userid as well.

Please attach show run from the ASA.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

nirmalkumar
Level 1
Level 1
In response to Jatin Katyal

‎10-28-2013 03:19 AM

Yes same error.

I cant access that ASA to get the running config. Accessing that remotely

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to nirmalkumar

‎10-28-2013 05:34 AM

To me it seems the shared secret being used on ASA to communicate with tacacs is mis-matched and that's a reason you  are getting "ACS user unknown". This should be a problem all users who are trying to do ssh on ASA and authenticating against tacacs server. Why share-secret could be an issue because the shared secret being used to encrypt the packet is not same while decryption and that's why we are seeing unknown username.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

nirmalkumar
Level 1
Level 1
In response to Jatin Katyal

‎10-28-2013 05:40 AM

If that is the case how come rest of my team member can access the device? Will this type of issue can affect single userid?

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to nirmalkumar

‎10-28-2013 06:28 AM

My reasoning based on the last test we did with the new users. Other users also should not have access if shared secret is mismatched. However, it would be worth looking at shared secret on both the sides because unknown users only comes as an error.

1.] If we don't have user created in the defined database.

2.] Shared secret is wrong due to that ACS is looking up for a different user.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents