Firewall AAA configuration

Steven Williams · ‎01-11-2019

Does the aaa commands/configuration copy to standby firewall? I can't seem to get to my secondary ASA.

Message Text	Failed-Attempt: Session Authorization encountered an error
Failure Reason	15020 Could not find selected Shell Profiles
Resolution	Add a shell profile to the result of the rule, or modify the rule condition so that this rule is not selected for session authorisation
Root Cause	Could not find selected Shell Profiles
Username	stevenwilliams

Sheraz.Salim · ‎01-11-2019

hmm..... they should be.

stupid question does your asa configured with active standby ip addresses?

please do not forget to rate.

Steven Williams · ‎01-11-2019

Yes they do. I can ping the standby and get a login prompt but nothing works, but the primary works fine and a wr standby doesnt seem to fix the issue.

Sheraz.Salim · ‎01-11-2019

What ASA code on it?

please do not forget to rate.

Steven Williams · ‎01-11-2019

9.6

Sheraz.Salim · ‎01-11-2019

curious does the ISE in network devices have a standby ip address of this ASA?

please do not forget to rate.

Steven Williams · ‎01-11-2019

Yes since thats how I grabbed that log I posted. Its from ISE.

Sheraz.Salim · ‎01-11-2019

Run 'test aaa-server authentication ' on the Standby unit and check what the reason for the failure is.
Enable 'debug aaa authentication' on the Standby unit and watch the output when you try to authenticate.

please do not forget to rate.

Steven Williams · ‎01-11-2019

don't have the ability till I can get someone onsite to console it for me. wont allow access via ssh or http.

Marvin Rhoads · ‎01-12-2019

ISE seems to indicate that the Authorization result is looking for an undefined shell profile.

Does the detail report from ISE Live logs shed any more light?

Marius Gunnerud · ‎01-13-2019

I agree with Marvin here that there is an issue with the ISE authorization profile configuration, however it is a bit strange that you are unable to access the secondary ASA via SSH or HTTPS. Have you tried to power-cycle the standby ASA?

--
Please remember to select a correct answer and rate helpful posts

Steven Williams · ‎01-14-2019

The ISE authorization profile is fine since it works on the primary ASA and uses the same auth profile. It just seems like the standby ASA didnt get the aaa commands on the wr standby.

Sheraz.Salim · ‎01-14-2019

I agree with @Steven Williams. As he done all from the active ASA to figure out what could be the issue.

thanks for the update.

please do not forget to rate.

Marius Gunnerud · ‎01-14-2019

You do know you can check the configuration on the standby ASA from the primary ASA, right?

for example you can issue the following command to se the AAA configuration on the standby

failover exec standby show run aaa

As long as failover is configured correctly I am having a hard time believing there is an issue with the configuration on the standby device. I am leaning towards either a process that is hanging on the standby which will be solved by rebooting the standby device, or an issue with configuration on ISE.

--
Please remember to select a correct answer and rate helpful posts

Firewall AAA configuration

Cisco Secure Firewall (FTD) - How To

AAA Configuration

Secure Firewall Resource Repository

Secure Firewall (FMC/FTD): はじめての AI アシスタント

Secure Firewall Expert Insights Series