Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
7744
Views
10
Helpful
21
Replies

Problem with TACACS+ using ASA5545, ACS 5.4

Go to solution
deanlee10
Level 1
Level 1

‎05-15-2013 09:45 AM - edited ‎03-10-2019 08:26 PM

I am trying to access an ASA 5545 using TACACS+.  I have the ASA configured as follows:

aaa-server tacacs+ protocol tacacs+

aaa-server tacacs+ (inside) host 10.x.x.x

timeout 15

key *****

user-identity default-domain LOCAL

aaa authentication enable console LOCAL

aaa authentication telnet console tacacs+ LOCAL

aaa authentication ssh console tacacs+ LOCAL

aaa authenticaiton http console tacacs+ LOCAL

aaa authorization command tacacs+ LOCAL

aaa authorization exec authentication-server

I have added the ASA in ACS with the correct IP and the correct key.

When I try to test the authentication via test aaa-server authentication tacacs+ host 10.x.x.x username cisco password cisco, I get:

ERROR: Authentication Server not responding: No error.

Any ideas on how to fix this issue and allow tacacs authentication when logging into the ASA?

1 person had this problem
Labels:
0 Helpful
21 Replies 21

Go to solution
deanlee10
Level 1
Level 1
In response to Jatin Katyal

‎05-17-2013 06:53 AM

Jatin,

The 'aaa authentication enable console tacacs+ LOCAL' is currently on the device.  I had it on the old command when I was still having problems even accessing the device via tacacs/ssh.  Based on the failure code in the previous reply, it seems like ACS is having trouble communicating with the ASA when it needs to authenticate the enable password - it's as if when you enter the password on the ASA, it's not getting all the way to the ACS to authenticate.  Is this just an error between the ACS version and the ASA software version?

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to deanlee10

‎05-17-2013 07:10 AM

I actually recreated with ACS 5.4 and ASA 8.4(5) and its working fine.

ciscoasa# sh run aaa

aaa authentication telnet console TACACS LOCAL

aaa authentication ssh console TACACS LOCAL

aaa authentication enable console TACACS LOCAL

aaa accounting command privilege 15 TACACS

from policy elements

Jatin Katyal


- Do rate helpful posts -

~Jatin
0 Helpful

Go to solution
deanlee10
Level 1
Level 1
In response to Jatin Katyal

‎05-17-2013 07:23 AM

I also have the max privilege for the shell profile set to static/15.  The ASA I am running has 9.1(1).  Maybe there is a bug in the code?

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to deanlee10

‎05-17-2013 07:33 AM

hmm...you must have already checked but make sure we are hitting the right authorization rule in the accesspolicy.

from access-policy

Jatin Katyal


- Do rate helpful posts -

~Jatin

Go to solution
deanlee10
Level 1
Level 1
In response to Jatin Katyal

‎05-17-2013 08:55 AM

Jatin,

I don't know why this is the case, but when the ACS admin created my account, instead of creating a new account, he duplicated his account.  For some reason this made it so I couldn't enable using my tacacs.  He deleted my account and created it from scratch.  This fixed the issue.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to deanlee10

‎05-17-2013 09:38 AM

thanks for bringing this to CSC.

Jatin Katyal


- Do rate helpful posts -

~Jatin

Go to solution
sathvik.rachha
Level 1
Level 1
In response to deanlee10

‎02-23-2017 12:34 PM

Hi Dean,

It is really a long time after this post but I am stuck with the same issue you were facing. All of my outputs are same as yours. 

You got the tacacs authentication working, So can you guide me how you did that?!

Thank you,

Sathvik

0 Helpful
Customers Also Viewed These Support Documents