Solved: If you want to specify the

rkandasa1 · ‎02-03-2016

Hi All,

i am trying to integrate ASA (8.6) with ACS (5.7), below is the ASA configuration,

sh run | in aaa
aaa-server RADIUS protocol radius
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (management) host 10.243.14.24
aaa authentication http console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa accounting ssh console TACACS+
aaa accounting command privilege 15 TACACS+
aaa accounting telnet console TACACS+
aaa authorization exec authentication-server
aaa authorization command TACACS+ loCAL

The issue is that i can get logged into ASA, but i cant type any commands in CLI, i am getting error "command authorization failed".

i have the same commands sets and shell profiles created for switches and it works perfectly.

Below is the behaviour From ACS Logs,

1.Once i am getting authenticated i can see the logs in ACS with my user id
2.but when i am typing any commnds, my authorization is getting failed and i can see in ACS Authorization logs that username is "enable_15"

Can someone help me to identify what is the issue

Thanks,
Rajkumar

Jatin Katyal · ‎02-04-2016

This happens when we have command authorization enabled on ASA and try to run any level 15 command on ASA. In order to fix this issue you have to check enable authentication of an user against the ACS / TACACS.

aaa authentication enable console TACACS+ LOCAL

After issuing the above listed command, ASA will start checking the enable password against ACS/Tacacs and you need to use tacacs enable password that we can set on per user.

~ Jatin

~Jatin

View solution in original post

Jatin Katyal · ‎02-04-2016

This happens when we have command authorization enabled on ASA and try to run any level 15 command on ASA. In order to fix this issue you have to check enable authentication of an user against the ACS / TACACS.

aaa authentication enable console TACACS+ LOCAL

After issuing the above listed command, ASA will start checking the enable password against ACS/Tacacs and you need to use tacacs enable password that we can set on per user.

~ Jatin

~Jatin

rkandasa1 · ‎02-15-2016

Hi Jatin/All,

I need to configure Secondary TACACS server, I tried it was unsuccessful and I logged into the device and reconfigured to the previous device using ASDM.

THIS IS MY CURRENT CONFIGURATION, may I know how we can do secondary ACS server for Authentication. basically when primary goes down, I want my authentication request to go to secondary ACS server.

GBMAFW01# sh running-config | in aaa
aaa-server RADIUS protocol radius
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (management) host 10.243.14.24
aaa authentication http console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting ssh console TACACS+
aaa accounting command privilege 15 TACACS+
aaa accounting telnet console TACACS+
aaa authorization exec authentication-server

Jatin Katyal · ‎02-15-2016

get me show run aaa-server output please?

~ Jatin

~Jatin

rkandasa1 · ‎02-15-2016

Hi Jatin,

GBMAFW01# show run aaa-server
aaa-server RADIUS protocol radius
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (management) host 10.240.14.24
key *****
aaa-server TACACS+ (management) host 10.243.14.24
key *****

Jatin Katyal · ‎02-15-2016

If you want to specify the method (reactivation policy) by which failed servers in a group are reactivated, enter the following command:

hostname(config-aaa-server-group)# # reactivation-mode depletion timed

Where the depletion keyword reactivates failed servers only after all of the servers in the group are inactive.

The timed keyword reactivates failed servers after 30 seconds of down time.

~ Jatin

~Jatin

Integrating ASA with ACS