05-15-2013 09:45 AM - edited 03-10-2019 08:26 PM
I am trying to access an ASA 5545 using TACACS+. I have the ASA configured as follows:
aaa-server tacacs+ protocol tacacs+
aaa-server tacacs+ (inside) host 10.x.x.x
timeout 15
key *****
user-identity default-domain LOCAL
aaa authentication enable console LOCAL
aaa authentication telnet console tacacs+ LOCAL
aaa authentication ssh console tacacs+ LOCAL
aaa authenticaiton http console tacacs+ LOCAL
aaa authorization command tacacs+ LOCAL
aaa authorization exec authentication-server
I have added the ASA in ACS with the correct IP and the correct key.
When I try to test the authentication via test aaa-server authentication tacacs+ host 10.x.x.x username cisco password cisco, I get:
ERROR: Authentication Server not responding: No error.
Any ideas on how to fix this issue and allow tacacs authentication when logging into the ASA?
Solved! Go to Solution.
05-17-2013 06:53 AM
Jatin,
The 'aaa authentication enable console tacacs+ LOCAL' is currently on the device. I had it on the old command when I was still having problems even accessing the device via tacacs/ssh. Based on the failure code in the previous reply, it seems like ACS is having trouble communicating with the ASA when it needs to authenticate the enable password - it's as if when you enter the password on the ASA, it's not getting all the way to the ACS to authenticate. Is this just an error between the ACS version and the ASA software version?
05-17-2013 07:10 AM
I actually recreated with ACS 5.4 and ASA 8.4(5) and its working fine.
ciscoasa# sh run aaa
aaa authentication telnet console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa accounting command privilege 15 TACACS
from policy elements
Jatin Katyal
- Do rate helpful posts -
05-17-2013 07:23 AM
I also have the max privilege for the shell profile set to static/15. The ASA I am running has 9.1(1). Maybe there is a bug in the code?
05-17-2013 07:33 AM
hmm...you must have already checked but make sure we are hitting the right authorization rule in the accesspolicy.
from access-policy
Jatin Katyal
- Do rate helpful posts -
05-17-2013 08:55 AM
Jatin,
I don't know why this is the case, but when the ACS admin created my account, instead of creating a new account, he duplicated his account. For some reason this made it so I couldn't enable using my tacacs. He deleted my account and created it from scratch. This fixed the issue.
05-17-2013 09:38 AM
thanks for bringing this to CSC.
Jatin Katyal
- Do rate helpful posts -
02-23-2017 12:34 PM
Hi Dean,
It is really a long time after this post but I am stuck with the same issue you were facing. All of my outputs are same as yours.
You got the tacacs authentication working, So can you guide me how you did that?!
Thank you,
Sathvik
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide