Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2990
Views
0
Helpful
3
Replies

ASA 5520 Failover Exec AAA Authorization Failed

Go to solution
Darren Roback
Level 5
Level 5

‎03-15-2013 03:04 PM - edited ‎03-10-2019 08:12 PM

Hello -

I have a pair of ASA 5520 firewalls running in active/standby mode on 8.3.2.34 code. My configuration performs authentication/authorization into ACS 5.1, however command authorization is failing when I try to execute a command on the standby from the active unit...

failover exec standby dir disk0:/

Fallback authorization. Username 'adminuser' not in LOCAL database

Command authorization failed

I don't even see the authentication attempt going into ACS. Any ideas?

Thanks!

Darren

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Darren Roback

‎03-18-2013 12:32 AM

Darren,

This bug looks like it is resolved in version 8.4(1), here is a bug that matches your symptom:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&method=fetchBugDetails&bugId=CSCti22636

"failover exec standby" TACACS+ authorization failure
Symptom:

Currently Standby ASA uses "enable_1"  username for authorization requests when "failover exec standby" command  is run on the Active ASA in failover pair. This leads to authorization  failures on TACACS+ server unless the "enable_1" user is created there  and privilege 15 is granted to this user.

Conditions:

This is a limitation of all software releases where the "failover exec standby" feature is implemented.

Workaround:

The workaround is:
- create a user account "enable_1" on TACACS+ server with any random password;
- grant "privilege = 15" and full access on all commands to this user.

Thanks,

Tarik Admani
*Please rate helpful posts*

View solution in original post

0 Helpful
3 Replies 3

Go to solution
Darren Roback
Level 5
Level 5

‎03-15-2013 03:05 PM

Here's my AAA configuration:

aaa authentication ssh console TACACS LOCAL

aaa authentication http console TACACS LOCAL

aaa authentication enable console TACACS LOCAL

aaa authorization command TACACS LOCAL

aaa accounting ssh console TACACS

aaa accounting enable console TACACS

aaa accounting command TACACS

aaa authorization exec authentication-server

0 Helpful

Go to solution
Tarik Admani
VIP Alumni
VIP Alumni
In response to Darren Roback

‎03-18-2013 12:32 AM

Darren,

This bug looks like it is resolved in version 8.4(1), here is a bug that matches your symptom:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?caller=pluginredirector&method=fetchBugDetails&bugId=CSCti22636

"failover exec standby" TACACS+ authorization failure
Symptom:

Currently Standby ASA uses "enable_1"  username for authorization requests when "failover exec standby" command  is run on the Active ASA in failover pair. This leads to authorization  failures on TACACS+ server unless the "enable_1" user is created there  and privilege 15 is granted to this user.

Conditions:

This is a limitation of all software releases where the "failover exec standby" feature is implemented.

Workaround:

The workaround is:
- create a user account "enable_1" on TACACS+ server with any random password;
- grant "privilege = 15" and full access on all commands to this user.

Thanks,

Tarik Admani
*Please rate helpful posts*

0 Helpful

Go to solution
NSutfin
Level 1
Level 1
In response to Tarik Admani

‎05-15-2020 06:48 AM

If your running the REST API on your firewall, this fix exposes the API and will not allow upstream TACACS auth on the API due to the local enable_1 user.

0 Helpful
Customers Also Viewed These Support Documents