06-10-2015 06:05 AM - edited 03-12-2019 06:08 PM
Dear All
We set up failover ASA. but the tacacs users cannot access failover ASA5555 ? when the user access the ASA, the password do not work. In order to solve the problem, I create new username in the ASA, and then the new user can access the ASA. At same time, tacacs users can access other devices, which means tacacs ACS is working well. Any one can give me some suggestion ? Thank you
06-10-2015 07:38 AM
Hi,
Can you share with us the ASA AAA configuration please ? From the looks of the issue , it seems that the AAA authentication is only looking at the LOCAL database and not TACACS
Thanks and Regards,
Vibhor Amrodia
06-10-2015 12:53 PM
Hi Vibhor,
Thank you so much for your reply. Right, the AAA authentication is only looking at the LOCAL database and not TACACS. The below is failover and SSH configuration, which I simplified since it is for production. Please let me know if you need any info.
--------------------------------------------
interface GigabitEthernet0/0
description "Connections to C1 eth8/20"
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/1
description "Connections to C1 eth8/21"
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
description "Connections to C1 eth8/22"
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/3
description "Connections to C1 eth8/23"
channel-group 1 mode on
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/7
description LAN Failover Interface
!
interface Management0/0
management-only
nameif management
security-level 100
ip address 10.20.10.65 255.255.255.0 standby 10.20.10.66
!
interface Port-channel1
description EtherChannel to C1
no nameif
no security-level
no ip address
!
interface Port-channel1.2
description Outside to Internet 215.113.16.0/24
shutdown
vlan 20
nameif outside
security-level 0
ip address 215.113.16.250 255.255.255.0 standby 215.113.16.251
!
interface Port-channel1.9
shutdown
vlan 99
nameif inside
security-level 100
ip address 10.20.2.250 255.255.255.0 standby 10.20.2.251
!
aaa-server tacacs protocol tacacs+
aaa-server tacacs (management) host 10.20.6.10
user-identity default-domain LOCAL
aaa authentication ssh console tacacs LOCAL
ssh 0.0.0.0 0.0.0.0 management
ssh timeout 5
ssh key-exchange group dh-group1-sha1
----------------------------
I used the command --- crypto key generate rsa modulus 1024, but show run does not show it
06-11-2015 09:56 AM
Hi,
I would request you to check the status of the TACACS server on the ASA device ?
Also , try to test the username and password against the TACACS and see if it works ?
show aaa-server
test aaa authentication <server name> username password
Thanks and Regards,
Vibhor Amrodia
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide