03-15-2013 03:04 PM - edited 03-10-2019 08:12 PM
Hello -
I have a pair of ASA 5520 firewalls running in active/standby mode on 8.3.2.34 code. My configuration performs authentication/authorization into ACS 5.1, however command authorization is failing when I try to execute a command on the standby from the active unit...
failover exec standby dir disk0:/
Fallback authorization. Username 'adminuser' not in LOCAL database
Command authorization failed
I don't even see the authentication attempt going into ACS. Any ideas?
Thanks!
Darren
Solved! Go to Solution.
03-18-2013 12:32 AM
Darren,
This bug looks like it is resolved in version 8.4(1), here is a bug that matches your symptom:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&method=fetchBugDetails&bugId=CSCti22636
"failover exec standby" TACACS+ authorization failure | |
Symptom:Currently Standby ASA uses "enable_1" username for authorization requests when "failover exec standby" command is run on the Active ASA in failover pair. This leads to authorization failures on TACACS+ server unless the "enable_1" user is created there and privilege 15 is granted to this user.Conditions:This is a limitation of all software releases where the "failover exec standby" feature is implemented.Workaround:The workaround is: - create a user account "enable_1" on TACACS+ server with any random password; - grant "privilege = 15" and full access on all commands to this user. |
Thanks,
Tarik Admani
*Please rate helpful posts*
03-15-2013 03:05 PM
Here's my AAA configuration:
aaa authentication ssh console TACACS LOCAL
aaa authentication http console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authorization command TACACS LOCAL
aaa accounting ssh console TACACS
aaa accounting enable console TACACS
aaa accounting command TACACS
aaa authorization exec authentication-server
03-18-2013 12:32 AM
Darren,
This bug looks like it is resolved in version 8.4(1), here is a bug that matches your symptom:
http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&method=fetchBugDetails&bugId=CSCti22636
"failover exec standby" TACACS+ authorization failure | |
Symptom:Currently Standby ASA uses "enable_1" username for authorization requests when "failover exec standby" command is run on the Active ASA in failover pair. This leads to authorization failures on TACACS+ server unless the "enable_1" user is created there and privilege 15 is granted to this user.Conditions:This is a limitation of all software releases where the "failover exec standby" feature is implemented.Workaround:The workaround is: - create a user account "enable_1" on TACACS+ server with any random password; - grant "privilege = 15" and full access on all commands to this user. |
Thanks,
Tarik Admani
*Please rate helpful posts*
05-15-2020 06:48 AM
If your running the REST API on your firewall, this fix exposes the API and will not allow upstream TACACS auth on the API due to the local enable_1 user.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide