02-16-2021 10:23 AM
We recently moved from RADIUS (Windows NPS server) to TACACS (Cisco ISE) for our Cisco ASAs authentication. We removed from the ASA all RADIUS related config, and right now we only have TACACS configured as shown below.
For some reason we are still able to access the firewalls using the RADIUS credentials!!!!!!!! I don't know how is that working. I ran a debug aaa authentication and debug radius, accessed the firewalls using radius credentials and did not get any logs at all, I did the same thing using tacacs credentials, and I was able to see the logs from the debug command, I don't understand if there is some kind of bug or if I am missing something obvious here, any advice? Thank you in advance!!
aaa-server isetacacs protocol tacacs+
aaa-server isetacacs (mgmt) host 192.168.1.1
aaa-server isetacacs (mgmt) host 192.168.1.2
aaa authentication serial console LOCAL
aaa authentication ssh console isetacacs LOCAL
aaa authentication http console isetacacs LOCAL
aaa authorization exec authentication-server auto-enable
02-17-2021 02:40 AM - edited 02-17-2021 02:48 AM
Hi,
Were you also be able to see these on ISE live logs when you login? What can you see?
I mean, are the TACACS credentials also working?
02-17-2021 09:42 AM - edited 02-17-2021 10:10 AM
TACACS credentials are also working, I am able to see the tacacs logs in both the ASA ( debug aaa authentication) and ISE.
Not able to see RADIUS logs anywhere, even though is working.!!!
(RADIUS server is running in a Domain Controller as a NPS, not ISE)
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide