cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

4626
Views
0
Helpful
2
Replies
Highlighted
Beginner

TACACS+ SSH authentication to ASA Fo problem

Dear,

I manage an ASA 5540 Active/Failover pair. SSH authentication is done through TACACS+ to ACS 4.2 located in the same VLAN as the inside interface of the firewalls. I have added both firewalls on to the ACS using their inside interface IP addresses (using the active and standby addresses). I can succesfully authenticate and login to the Active ASA without any problem. But on the standby ASA, I get SSH prompt but I could not login. When I see the failed attempts log under the ACS, I see "Unknown NAS" listed for the standby ASA. How can I solve this problem?

best regards,

Abebe Amare

Network Engineer, VivaCell

Everyone's tags (5)
1 ACCEPTED SOLUTION

Accepted Solutions
Highlighted
Cisco Employee

Re: TACACS+ SSH authentication to ASA Fo problem

Hi Abebe,

On the secondary ASA, please check the following:

sh failover    ---> and make sure the secondary is in standby ready and not failed.

sh aaa-server    ----> check the output and see if the ASA has marked the tacacs server as "UP" and exchange of packets.

Enable follwoing debugs and run a test authentication as mentioned:

debug aaa authentication

debug tacacs

debug ssh

test aaa-server authentication host   username "insert name" password "insert password"

Provide me the debugs after taking out your username in it so that i can analyze.

Cheers,

Rudresh V

View solution in original post

2 REPLIES 2
Highlighted
Cisco Employee

Re: TACACS+ SSH authentication to ASA Fo problem

Hi Abebe,

On the secondary ASA, please check the following:

sh failover    ---> and make sure the secondary is in standby ready and not failed.

sh aaa-server    ----> check the output and see if the ASA has marked the tacacs server as "UP" and exchange of packets.

Enable follwoing debugs and run a test authentication as mentioned:

debug aaa authentication

debug tacacs

debug ssh

test aaa-server authentication host   username "insert name" password "insert password"

Provide me the debugs after taking out your username in it so that i can analyze.

Cheers,

Rudresh V

View solution in original post

Highlighted
Beginner

Re: TACACS+ SSH authentication to ASA Fo problem

Dear Rudresh,

When I do a sh aaa-server I got the following:

ASA-01# sh aaa-server
Server Group:    ACS
Server Protocol: tacacs+
Server Address:  192.168.x.xx
Server port:     49
Server status:   ACTIVE, Last transaction at unknown
Number of pending requests              0
Average round trip time                 0ms
Number of authentication requests       0
Number of authorization requests        0
Number of accounting requests           0
Number of retransmissions               0
Number of accepts                       0
Number of rejects                       0
Number of challenges                    0
Number of malformed responses           0
Number of bad authenticators            0
Number of timeouts                      0
Number of unrecognized responses        0

This made me to double check the configuration. I define the same ACS server twice with different name and protocol (once for RADIUS to authenticate VPN sessions and the other for TACACS+ to authenticate device access). So it turned out I put the wrong server name under ssh authentication.

Thanks for pointing me in the right direction and I give you full marks.

best regards,

Abebe Amare