cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
8230
Views
10
Helpful
21
Replies

Problem with TACACS+ using ASA5545, ACS 5.4

deanlee10
Level 1
Level 1

I am trying to access an ASA 5545 using TACACS+.  I have the ASA configured as follows:

aaa-server tacacs+ protocol tacacs+

aaa-server tacacs+ (inside) host 10.x.x.x

timeout 15

key *****

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication telnet console tacacs+ LOCAL

aaa authentication ssh console tacacs+ LOCAL

aaa authenticaiton http console tacacs+ LOCAL

aaa authorization command tacacs+ LOCAL

aaa authorization exec authentication-server

I have added the ASA in ACS with the correct IP and the correct key.

When I try to test the authentication via test aaa-server authentication tacacs+ host 10.x.x.x username cisco password cisco, I get:

ERROR: Authentication Server not responding: No error.

Any ideas on how to fix this issue and allow tacacs authentication when logging into the ASA?

1 Accepted Solution

Accepted Solutions

hmm...you must have already checked but make sure we are hitting the right authorization rule in the accesspolicy.

from access-policy

Jatin Katyal


- Do rate helpful posts -

~Jatin

View solution in original post

21 Replies 21

Jatin Katyal
Cisco Employee
Cisco Employee

could you please turn on the debugs:

debug tacacs

debug aaa authentication.

also, are you able to ping the server using inside interface.

Provide show aaa-server output as well.

Jatin Katyal
- Do rate helpful posts -

~Jatin

yes, can ping successfully.

ASA # ping 10.x.x.x

Type escape sequence to abort.

Sending 5, 100-byte ICMP Echos to 10.x.x.x, timeout is 2 seconds:

!!!!!

Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

ASA# show aaa-server Server Group:    LOCAL

Server Protocol: Local database

Server Address:  None

Server port:    None

Server status:  ACTIVE, Last transaction at 17:33:50 UTC Wed May 15 2013

Number of pending requests              0

Average round trip time                0ms

Number of authentication requests      255

Number of authorization requests        39

Number of accounting requests          0

Number of retransmissions              0

Number of accepts                      274

Number of rejects                      20

Number of challenges                    0

Number of malformed responses          0

Number of bad authenticators            0

Number of timeouts                      0

Number of unrecognized responses        0

Server Group:    tacacs+

Server Protocol: tacacs+

Server Address:  10.x.x.x

Server port:    49

Server status:  FAILED, Server disabled at 17:33:30 UTC Wed May 15 2013

Number of pending requests              0

Average round trip time                0ms

Number of authentication requests      10

Number of authorization requests        6

Number of accounting requests          0

Number of retransmissions              0

Number of accepts                      0

Number of rejects                      0

Number of challenges                    0

Number of malformed responses          0

Number of bad authenticators            0

Number of timeouts                      16

Number of unrecognized responses        0

Can we check the debugs as well.

Do add the following changes:

aaa-server tacacs+ protocol tacacs+

no aaa-server tacacs+ (inside) host 10.x.x.x

aaa-server tacacs+ (inside) host 10.x.x.x

reactivation-mode timed

exit

Jatin Katyal

- Do rate helpful posts -

~Jatin

There is no output when I enter turn debugging on.

I entered the commands you recommeneded.  No change.

Hi Dean

  Can you run the following command:

#term mon

take debugs and share the output.

Regards

Minakshi ( do rate the helpful posts:

Hello,

I was able to get the tacacs working, however, now I am unable to enter the privilege level.  My tacacs account is privilege level 15.  Also, now my local username/password does not work to get into the device.  Anyway to get back in and also to solve the "enable" issue?

Hi Dean,

   Check in the passed authentication, which shell profile is being used by the user and push default privilege 15 under ACS 5.4.

It should work.

Regards

Minakshi (Do rate the helpful posts )

In order to access the security appliance you have to type enable followed by enable password unlike IOS devices. There you can land directly to privilege exec mode. Now, If your local credentials are not working than in that case my question would be; Is your tacacs still up and running? If yes, than it would always hit the tacacs at very first place and get failed. It will never check the local database. In order to test that tacacs should not be accessible.

Jatin Katyal

- Do rate helpful posts -

~Jatin

Tacacs server is up and running.  Verified local credentials still work when tacacs is disabled.

What kind of problems could I be running into where I can login to the device via tacacs, but cannot enable to privilege exec mode using the same tacacs password?

you will not be able to access the device and execute the commands from privelege exec command. Why would you not be able to access using enable password if it's configured as to use as PAP password on tacacs 4.2

Jatin Katyal


- Do rate helpful posts -

~Jatin

I think there is a miscommunication:

The goal is for me to be able to ssh into the device using my tacacs credentials, which I can do. 

I then want to be able to type "enable" and be prompted for my tacacs password, which I would then enter to access privilege exec mode, This is the part I am having problems with.  I am currently unable to enter privilege exec mode with my tacacs password.  If this is not possible, then that's fine, I can access it with the local password, but I am looking for help to be able to accomplish this.

what tacacs server are you using? If acs 4.x, check reports and activity ...you must be getting "enable privilege is too low" (Most probable error)...after that you can go inside the user/group setup and set the enable privilege 15 under tacas+ settings.

Jatin Katyal


- Do rate helpful posts -

~Jatin

As stated in the title, I am using ACS 5.4.

When I check the monitoring and reporting, I am getting the following error:

13031 TACACS+ authentication request missing user Password

Description:

The TACACS+ authentication request did not provide a user password

Resolution Steps:

The device is sending a TACACS+ authentication request that is missing informatino needed by ACS.  Check the device to verify it is working properly and has up-to-date software.

The device is working properly and has up-to-date software.

Dean, My bad I missed that part.

You would like to use enable password same as tacacs password. However, the command you have in ASA checking the enable password against asa local enable password.

can we replace this command

aaa authentication enable console LOCAL

with

aaa authentication enable console tacacs+ LOCAL

Let me know how it goes.

Jatin Katyal


- Do rate helpful posts -

~Jatin