cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
5627
Views
0
Helpful
2
Replies

TACACS+ SSH authentication to ASA Fo problem

cisabucho
Level 1
Level 1

Dear,

I manage an ASA 5540 Active/Failover pair. SSH authentication is done through TACACS+ to ACS 4.2 located in the same VLAN as the inside interface of the firewalls. I have added both firewalls on to the ACS using their inside interface IP addresses (using the active and standby addresses). I can succesfully authenticate and login to the Active ASA without any problem. But on the standby ASA, I get SSH prompt but I could not login. When I see the failed attempts log under the ACS, I see "Unknown NAS" listed for the standby ASA. How can I solve this problem?

best regards,

Abebe Amare

Network Engineer, VivaCell

1 Accepted Solution

Accepted Solutions

Rudresh Veerappaji
Cisco Employee
Cisco Employee

Hi Abebe,

On the secondary ASA, please check the following:

sh failover    ---> and make sure the secondary is in standby ready and not failed.

sh aaa-server    ----> check the output and see if the ASA has marked the tacacs server as "UP" and exchange of packets.

Enable follwoing debugs and run a test authentication as mentioned:

debug aaa authentication

debug tacacs

debug ssh

test aaa-server authentication host   username "insert name" password "insert password"

Provide me the debugs after taking out your username in it so that i can analyze.

Cheers,

Rudresh V

View solution in original post

2 Replies 2

Rudresh Veerappaji
Cisco Employee
Cisco Employee

Hi Abebe,

On the secondary ASA, please check the following:

sh failover    ---> and make sure the secondary is in standby ready and not failed.

sh aaa-server    ----> check the output and see if the ASA has marked the tacacs server as "UP" and exchange of packets.

Enable follwoing debugs and run a test authentication as mentioned:

debug aaa authentication

debug tacacs

debug ssh

test aaa-server authentication host   username "insert name" password "insert password"

Provide me the debugs after taking out your username in it so that i can analyze.

Cheers,

Rudresh V

Dear Rudresh,

When I do a sh aaa-server I got the following:

ASA-01# sh aaa-server
Server Group:    ACS
Server Protocol: tacacs+
Server Address:  192.168.x.xx
Server port:     49
Server status:   ACTIVE, Last transaction at unknown
Number of pending requests              0
Average round trip time                 0ms
Number of authentication requests       0
Number of authorization requests        0
Number of accounting requests           0
Number of retransmissions               0
Number of accepts                       0
Number of rejects                       0
Number of challenges                    0
Number of malformed responses           0
Number of bad authenticators            0
Number of timeouts                      0
Number of unrecognized responses        0

This made me to double check the configuration. I define the same ACS server twice with different name and protocol (once for RADIUS to authenticate VPN sessions and the other for TACACS+ to authenticate device access). So it turned out I put the wrong server name under ssh authentication.

Thanks for pointing me in the right direction and I give you full marks.

best regards,

Abebe Amare

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: