08-28-2007 07:25 AM - edited 03-10-2019 03:21 PM
one of our ASAs is having problems authenticating against our tacacs server. We can run the test authentication feature fine and the ASA can ping the server. However when I try to authenticate I see this in the log:
4 Aug 28 2007 09:30:31 409023 Attempting AAA Fallback method LOCAL for Authentication request for user [someuser] : Auth-server group [acsserver] unreachable
On the ACS server I don't see any failed attmpets on the logs. All of our other devices work fine including a few other ASAs. Th eonly difference with this guy is that its running 8.0 software. I double checked the shared key and its okay (well it should be fine since I can run the test fine). Any ideas?
08-28-2007 07:41 AM
Jack,
Do you see any hits on acs passed attempts ? Try increasing tacacs timeout and see if that makes any difference.
Regards,
~JG
08-28-2007 08:29 AM
I took a look at those logs. I see the hits when I run the test authentication from the ASA (I'm logged in locally as fallback at the moment) but when I try to login as normal with my AD creds I dont see any hits.
03-11-2008 08:38 AM
Could this be related to Cisco bug ID CSCsk08454?
There is supposedly a fix but I'm not having much luck implementing it myself...
03-12-2008 06:40 AM
Hi Jack,
Hoped you solved the issue with AAA authorization in your ASA. I have simmilar issue with my ASA.
I configured AAA authorization in firewall but it works only for local username/password. PIX version 7.2(2) and ACS-SE 4.1.
Here is my configurations
XXX-PIX515(config)# sh run aaa-server
aaa-server VPN protocol radius
accounting-mode simultaneous
aaa-server VPN host 172.20.20.11
key XXX
aaa-server VPN host 172.20.20.12
key XXX
aaa-server my-group protocol tacacs+
aaa-server my-group host 172.20.20.11
key XXXX
aaa authentication telnet console my-group LOCAL
aaa authentication enable console my-group LOCAL
aaa authorization command my-group LOCAL
aaa accounting command privilege 15 my-group
Note: Also I have RADIUS as same ACS for my VPN access and I add it as RADIUS client with different key. Moreover I could not see any failed logs on ACS. It works fine with local authorization.
Can you tell me why I cant authenticate and authorize with TACACS+ server.
Thanks in advance
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide