cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1137
Views
0
Helpful
2
Replies

ASDM asks to re-login again & again

nitin.pant
Level 1
Level 1

Hello Team,

 

We are migrating from ACS to ISE (2.7.0.356) using RSA for AAA(TACACS), When pointing authentication to ISE, we are having issues where we are able to initially log onto ASA’s using ASDM but then we get asked for re-authentication which is failing, when we go on the ISE logs we are seeing the following even though we have just used the same credentials.

 

When pointing auth to ACS everything is good. 

 

This seem to be happening on firewalls which are running in multi context mode, single mode is fine.

 

24560   Searching for user record in RSA identity store Passcode cache - RSA SecurID
24562   User record was not found in Passcode cache - RSA SecurID

 

NOTE: Only when in ASDM the re-login pops up frequently, no re-login prompt seen when doing ssh to ASA CLI. 

 

Below is our configuration:

 

mht-sec-fw-wut-01/admin/act/pri# sh run all ssh
no ssh stricthostkeycheck
ssh x.x.x.x x.x.x.x management
ssh x.x.x.x x.x.x.x management
ssh x.x.x.x x.x.x.x management
ssh x.x.x.x x.x.x.x 5 management
ssh x.x.x.x x.x.x.x management
ssh x.x.x.x x.x.x.x management
ssh timeout 60
ssh version 2
ssh cipher encryption medium
ssh cipher integrity high
ssh key-exchange group dh-group14-sha1
mht-sec-fw-wut-01/admin/act/pri# sh run all http
http server enable 443
http server idle-timeout 20
http server session-timeout 0
http x.x.x.x x.x.x.x management
http server basic-auth-client ASDM
http server basic-auth-client CSM
http server basic-auth-client REST API Agent
mht-sec-fw-wut-01/admin/act/pri# sh run all aaa
aaa authentication enable console CORP-ISE-Tacacs LOCAL
aaa authentication http console CORP-ISE-Tacacs LOCAL
aaa authentication serial console CORP-ISE-Tacacs LOCAL
aaa authentication ssh console CORP-ISE-Tacacs LOCAL
aaa accounting enable console Smart
aaa accounting serial console Smart
aaa accounting ssh console Smart
aaa accounting telnet console Smart
aaa accounting command privilege 15 Smart
aaa proxy-limit 16
no aaa authentication secure-http-client
no aaa local authentication attempts max-fail
aaa authorization exec authentication-server
aaa authentication login-history duration 90


mht-sec-fw-wut-01/admin/act/pri# sh run all tac
aaa-server CORP-ISE-Tacacs protocol tacacs+
aaa-server CORP-ISE-Tacacs (management) host 10.x.x x
key *****

 

Current ASDM version:

Device Manager Version 7.17(1)152

IOS - Cisco Adaptive Security Appliance Software Version 9.13(1) <context>

 

Kindly help... Is there anyone who might have faced this issue? 

2 Replies 2

balaji.bandi
Hall of Fame
Hall of Fame
24560   Searching for user record in RSA identity store Passcode cache - RSA SecurID
24562   User record was not found in Passcode cache - RSA SecurID

Do you use external authentication like RSA or OTP ?

 

ISE 2.7 what patch you have ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

Hello Balaji, 

 

Do you use external authentication like RSA or OTP ?

Yes, we are using  RSA secure id for external authentication and AD group for authorization. 

 

ISE 2.7 what patch you have ?

Patch Version : 4

Review Cisco Networking for a $25 gift card