Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1287
Views
5
Helpful
3
Replies

Cisco ASA AAA timeout

tothz
Level 1
Level 1

‎02-03-2022 04:05 AM

Hi everybody

 

I have operate Cisco asa 5506 with aaa settings. I use linux tac_plus server.

It semms to be work well, but very slow. 

If I stop tacacs server the login stop inmedietly  with tacacs user, and I can login with local user. Nice.

If I start again tacacs server I can not login with tacacs user .   It looks like asa is still using the local database.

asa aaa config

aaa-server tacacs protocol tacacs+
reactivation-mode depletion deadtime 1
aaa-server tacacs (inside) host 1.1.1.1
timeout 5
key *****
user-identity default-domain LOCAL
aaa authentication http console tacacs LOCAL
aaa authentication ssh console tacacs LOCAL
aaa authentication enable console tacacs LOCAL
aaa authentication serial console tacacs LOCAL
aaa authorization command tacacs LOCAL
aaa accounting command tacacs
aaa accounting enable console tacacs
aaa accounting ssh console tacacs
aaa accounting serial console tacacs
aaa local authentication attempts max-fail 5
aaa authentication login-history

  

Any idea ? 

Labels:
0 Helpful
3 Replies 3

balaji.bandi
Hall of Fame
Hall of Fame

‎02-03-2022 04:28 AM

what is the ASA IP adress, do you have good connection betweeen ASA and Linux ?

I can login with local user

this shows its fall back to local, what Logs you see on Linux ?

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Mike.Cifelli
VIP Alumni
VIP Alumni

‎02-03-2022 04:36 AM

Is the ASA able to reach to the t+ server? Have you attempted to run a packet trace to ensure routes/acls are good? Try this from cli: #test aaa-server authentication/authorization <group_name> username <username> password <pass>

What are the results?

tothz
Level 1
Level 1
In response to Mike.Cifelli

‎02-03-2022 05:43 AM

test aaa-server authentication tacacs username teszt password meme
Server IP Address or name: 10.1.1.1
INFO: Attempting Authentication test to IP address (1.1.1.1) (timeout: 10 seconds)
INFO: Authentication Successful

--------

but 

ssh -l teszt 10.0.1.70
teszt@10.0.1.70's password:
Permission denied, please try again.
teszt@10.0.1.70's password:

--------------------------------------------

after few minutes works well again

 

teszt@10.0.1.70's password:
User teszt logged in to f-pe1-13
Logins over the last 2 days: 10. Last login: 12:50:13 CEST Feb 3 2022 from console
Failed logins since the last login: 0. Last failed login: 10:22:28 CEST Feb 3 2022 from 10.0.2.4
Type help or '?' for a list of available commands.
asa>

------------------------------

 

my problem is the that the fallback time slow

tacacs to Local change 3 second, but Local to tacacs five minutes 

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card