Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3910
Views
0
Helpful
5
Replies

ASA Command Authorization Failed - Not getting authenticated by ACS

netbeginner
Level 2
Level 2

‎11-13-2015 08:19 PM - edited ‎03-10-2019 11:14 PM

Hello Experts, 

I have posted another Discussion regarding the same, Unfortunately still looking for response. 

I am now not able to find my old post here :-( . Pls find the problem we are facing again.

1) Our ASA 5525 (configured in Active - Passive Mode) is not getting authenticating through TACACS (ACS) credentials since 2 days. earlier it were working fine. Seems logical connectivity between ASA and ACS breaked up. We suspecting some routing issue at ASA or wrong policy implemented accidently by team member. 

2) We are able to logged into ASA by local password , But ASA is not allowing to run any command . we are getting message "Command Authorization failed" on execution of any CLI command.

Overall, we are not able to check any routing issue or wrong policy on ASA.

ACS related configuration on ASA are as (taken from Backup cofniguration we have).

aaa-server ACS (Inside) host 10.25.10.21
key Cisco123
aaa-server ACS (Inside) host 10.25.10.22
key Cisco123
user-identity default-domain LOCAL
aaa authentication enable console ACS LOCAL
aaa authentication http console ACS LOCAL
aaa authentication ssh console ACS LOCAL
aaa authorization command ACS
aaa accounting enable console ACS
aaa accounting ssh console ACS
aaa accounting command ACS

username admin12 password uupWMcdZZWi0G encrypted privilege 15

Kindly please share way forward to solve the issue.

Rgds

****

Labels:
0 Helpful
5 Replies 5

netbeginner
Level 2
Level 2

‎11-13-2015 09:18 PM

Pls reply/.

0 Helpful

Nathan Spitzer
Level 1
Level 1

‎11-19-2015 07:11 AM

So your problem is the "aaa authorization command ACS" line. I am 99% sure you have locked yourself out because what this says is all commands must be authorized by ACS and if ACS is unreachable fail.You needed the local keyword after it to fall back to using the privilege level if ACs is unreachable. At this point your only option is password recovery. 

0 Helpful

nspasov
Cisco Employee
Cisco Employee

‎11-21-2015 09:45 PM

Not a good situation to be in :( I have a couple of quesitons:

1. Are you 100% the connection between ACS and your ASA is broken? For instance, do you see anything in the ACS logs when it comes to AAA and the ASA?

2. What version of ACS are you using

3. In the future, you need to make sure that the local database can be used for authorization as well

aaa authorization command ACS LOCAL

Thank you for rating helpful posts!

0 Helpful

krishnangangster
Level 1
Level 1

‎11-22-2015 03:52 AM

Hi ,

1.Check yourself with "test aaa group " command and confirm you are getting the Authentication log in ACS.

2.In that case, configure the command authorization on ACS for any particular user and give him the privilege of 15.

3.In command authorization, atleast add "no aaa authorization command ACS" command to the permitted and try to remove the command and proceed further.

0 Helpful

Freemen
Level 1
Level 1

‎04-19-2017 12:10 AM

I suspect your ACS is not sync

0 Helpful
Customers Also Viewed These Support Documents