cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
494
Views
0
Helpful
3
Replies

Why cannot tacacs users access failover ASA ?

wfqk
Level 5
Level 5

Dear All

We set up failover ASA. but the tacacs users cannot access failover ASA5555 ? when the user access the ASA, the password do not work. In order to solve the problem, I create new username in the ASA, and then the new user can access the ASA. At same time, tacacs users can access other devices, which means tacacs ACS is working well. Any one can give me some suggestion ? Thank you

3 Replies 3

Vibhor Amrodia
Cisco Employee
Cisco Employee

Hi,

Can you share with us the ASA AAA configuration please ? From the looks of the issue , it seems that the AAA authentication is only looking at the LOCAL database and not TACACS

Thanks and Regards,

Vibhor Amrodia

Hi Vibhor,

Thank you so much for your reply. Right, the AAA authentication is only looking at the LOCAL database and not TACACS. The below is failover and SSH configuration, which I simplified since it is for production. Please let me know if you need any info.

--------------------------------------------

interface GigabitEthernet0/0

 description "Connections to C1 eth8/20"

 channel-group 1 mode on

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/1

 description "Connections to C1 eth8/21"

 channel-group 1 mode on

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/2

 description "Connections to C1 eth8/22"

 channel-group 1 mode on

 no nameif   

 no security-level

 no ip address

!

interface GigabitEthernet0/3

 description "Connections to C1 eth8/23"

 channel-group 1 mode on

 no nameif

 no security-level

 no ip address

!

interface GigabitEthernet0/7

 description LAN Failover Interface

!

interface Management0/0

 management-only

 nameif management

 security-level 100

 ip address 10.20.10.65 255.255.255.0 standby 10.20.10.66

!

interface Port-channel1

 description EtherChannel to C1

 no nameif

 no security-level

 no ip address

!

interface Port-channel1.2 

 description Outside to Internet 215.113.16.0/24

 shutdown

 vlan 20

 nameif outside

 security-level 0

 ip address 215.113.16.250 255.255.255.0 standby 215.113.16.251 

!

interface Port-channel1.9

shutdown

 vlan 99

 nameif inside

 security-level 100

 ip address 10.20.2.250 255.255.255.0 standby 10.20.2.251

!

aaa-server tacacs protocol tacacs+

aaa-server tacacs (management) host 10.20.6.10

user-identity default-domain LOCAL

aaa authentication ssh console tacacs LOCAL

 

ssh 0.0.0.0 0.0.0.0 management

ssh timeout 5

ssh key-exchange group dh-group1-sha1

 

----------------------------

I used the command --- crypto key generate rsa modulus 1024, but show run does not show it

 

 

Hi,

I would request you to check the status of the TACACS server on the ASA device ?

Also , try to test the username and password against the TACACS and see if it works ?

show aaa-server

test aaa authentication <server name> username password

Thanks and Regards,

Vibhor Amrodia

Review Cisco Networking for a $25 gift card