ASA 'failover exec' issue with TACACS

PATRICK ROCH · ‎06-09-2017

Hi,

I have a setup with 2 ASA in failover (active/standby). We want to use the failover exec command. We have a Cisco ISE acting as a TACACS server. Within ISE we control from witch IP the connection come from.

When doin the failover exec command, the standby unit show that the command was initiated form the IP 0.0.0.0 . We do not feel good to put that IP in our ruleset.

Is their a workaround.

Thanks

Farhan Mohamed · ‎06-12-2017

The workaround is: - create a user account "enable_1" on TACACS+ server with any random password; - grant "privilege = 15" and full access on all commands to this user.

ASA 'failover exec' issue with TACACS

Firewall: ASA Failover，FTD HA の 'Negotiation' ステータスについて

ASA: 冗長機能と、Failoverのトリガー、Health Monitoringについて

ASA: Failover 構成時における ASA の Smart License の扱いについて

ISE - O que precisamos saber sobre TACACS+

ASA： aaa authorization exec authentication-server auto-enable 機能