Solved: ASA 5545 TACACS+ login issue

zizou6500 · ‎07-29-2021

Hi Guys,

I was trying to configure an ASA 5545 and adding it to Tacacs+. I've got the error message "Command authorization failed", once I've pushed this command line:

(config)# aaa authentication ssh console tacacs_server LOCAL
Range already exists.

Command authorization failed

And since then I'm not been able to connect neither with tacacs nor with my local noc account. I can log in but am not able to go into the enable mode. Below is the current config for the Tcacas part:

aaa-server tacacs_server protocol tacacs+
 reactivation-mode depletion deadtime 0
aaa-server tacacs_server (management) host 172.17.x.x
 timeout 5
 key *****
aaa-server tacacs_server (management) host 172.17.x.x
 timeout 5
 key *****

aaa authentication enable console tacacs_server LOCAL
aaa authentication serial console tacacs_server LOCAL
aaa authentication ssh console tacacs_server LOCAL

It wasn't possible to push the rest of the configuration below:

aaa authorization command tacacs_server LOCAL
aaa accounting command tacacs_server
aaa accounting enable console tacacs_server
aaa accounting serial console tacacs_server
aaa accounting ssh console tacacs_server
aaa accounting telnet console tacacs_server
aaa authentication secure-http-client
aaa authorization exec authentication-server auto-enable

So I think that the only thing that I can do is to reboot the device in order to gain access again. I need your help to figure out the encountered issue and authenticate property using Tacacs+.

Thanks in advance.

balaji.bandi · ‎07-31-2021

what is the IOS Code running, there is some syntax change between Cat 9K new IOS XE and OLD IOS / IOS XE

it should be as below example :

aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

View solution in original post

balaji.bandi · ‎07-29-2021

Do you have TACACS Server that setup ASA as client with key.

Personally i would advise all related to console config need to be added after testing all SSH other stuff, since you are not sure TACACS working or not.

what username and password you trying ? Local or TACACS ? ( Try both and test it,) still an issue, if you have not saved the config, reloading ASA (if this propduction do it in maintenance window) to get back to old know good config.

Once the ASA Comeback, connect console access, remove this lines from config add rest of the config. test SSH make sure you have all the access to ASA as expecting, then add rest of the config.

aaa authentication enable console tacacs_server LOCAL
aaa authentication serial console tacacs_server LOCAL

Note : Personally i will not do console config, that is fall back if anything go wrong in network orTACACS you can access console using local username /password, Security point of view someone reached to console means, that physically security already breached, nothing one can do.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

zizou6500 · ‎07-29-2021

Hi Balaji,

Thank you.

I was trying to log in from both local & Tacacs but the same issue, so I'll reload the ASA device and try what you've suggested doing.

I'm not sure if I've removed the line command below when configuring Tacacs, can you advise if this can be the root cause?

aaa authentication ssh console LOCAL

"

paul driver · ‎07-29-2021

Hello

Make sure you have a local user created with privilege 15 access

Example:
username stan privilege 15
username stan password *****

aaa-server tacacs_server protocol tacacs+
reactivation-mode depletion deadtime 10
aaa authorization exec LOCAL auto-enable

0r
aaa authorization exec authentication-server auto-enable

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

zizou6500 · ‎07-29-2021

Hi @paul driver,

Thank you for this feedback.

I have a local account created as below but I can't get into the enable mode (after applying the Tcacas+ config):

username noc password xxxxxxxxx pbkdf2

paul driver · ‎07-29-2021

Try -
username noc privilege 15

aaa authentication serial console tacacs_server LOCAL
aaa authentication ssh console tacacs_server LOCAL
aaa authentication enable console tacacs_server LOCAL
aaa authorization command tacacs_server LOCAL
aaa authorization exec authentication-server auto-enable

or

aaa authorization exec LOCAL auto-enable

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

zizou6500 · ‎07-30-2021

Hi @paul driver,

Thank you.

I've another device that I had to reboot the last time I've tried to configure Tacacs. Below is the current config:


aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL

Should I proceed first by removing those four lines and then applying the conf you've suggested (just to confirm)?

This is the configuration that I'm planning to apply:

aaa authorization exec authentication-server auto-enable
aaa authentication http console tacacs_server LOCAL
aaa authentication enable console tacacs_server LOCAL
aaa authentication ssh console tacacs_server LOCAL
aaa authorization command tacacs_server LOCAL
aaa accounting ssh console tacacs_server
aaa accounting command tacacs_server
aaa accounting enable console tacacs_server
aaa accounting serial console tacacs_server

paul driver · ‎07-30-2021

Hello

Looks oka but don't forget the local user account with privilege 15 access

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

zizou6500 · ‎07-30-2021

Hi @paul driver ,

Thank you.

Yes, I've already created a local account with privilege 15.

Should I remove those lines before applying the Tacacs ones?

aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console LOCAL

paul driver · ‎07-31-2021

Hello
no need, You should just be able to overwrite them to include the tacacs_server

Please rate and mark as an accepted solution if you have found any of the information provided useful.
This then could assist others on these forums to find a valuable answer and broadens the community’s global network.

Kind Regards
Paul

zizou6500 · ‎07-31-2021

Hi @paul driver,

Thank you.

Indeed, I had to remove the existing "aaa" commands because I've got the error message "range already exists" when pushing the Tacacs ones. After removing them, I was able to configure Tacacs and I'm able now to connect to the ASA via my Tacacs account.

Thanks for your help!

zizou6500 · ‎07-31-2021

Hi @paul driver,

I had an issue with a cisco WS-C4948E-F device to configure Tcacas.Below the configuration applied:

aaa group server tacacs+ tacacs_server
aaa authentication login ssh group tacacs_server local-case enable
aaa authentication enable default group tacacs_server enable
aaa authorization exec default group tacacs_server if-authenticated
aaa authorization commands 0 default group tacacs_server if-authenticated
aaa authorization commands 1 default group tacacs_server if-authenticated
aaa authorization commands 15 default group tacacs_server if-authenticated
aaa authorization configuration default group tacacs_server
aaa accounting exec default start-stop group tacacs_server
aaa accounting commands 0 default start-stop group tacacs_server
aaa accounting commands 1 default start-stop group tacacs_server
aaa accounting commands 15 default start-stop group tacacs_server
aaa accounting connection default start-stop group tacacs_server
aaa accounting system default start-stop group tacacs_server
ip tacacs source-interface GigabitEthernetx/x
tacacs-server host 172.16.x.x key 7 *************************
tacacs-server host 172.16.x.x key 7 *************************
tacacs-server host 172.16.x.x key 7 **************************

===========================================

But this didn't work, I can that there some failed attempts:

Tacacs+ Server - public : 172.16.x.x/49
Socket opens: 120
Socket closes: 120
Socket aborts: 0
Socket errors: 0
Socket Timeouts: 0
Failed Connect Attempts: 52
Total Packets Sent: 0
Total Packets Recv: 0

On the server side, I can't see any attempts. Do you have any idea, please?

balaji.bandi · ‎07-31-2021

what is the IOS Code running, there is some syntax change between Cat 9K new IOS XE and OLD IOS / IOS XE

it should be as below example :

aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

zizou6500 · ‎07-31-2021

Hello Balaji

Cisco IOS Software, Catalyst 4500 L3 Switch Software (cat4500e-ENTSERVICESK9-M), Version 15.0(2)SG, RELEASE SOFTWARE (fc4)
Technical Support: http://www.cisco.com/techsupport
Copyright (c) 1986-2011 by Cisco Systems, Inc.
Compiled Tue 26-Apr-11 17:17 by prod_rel_team
Image text-base: 0x10000000, data-base: 0x12E7F8F0

ROM: 12.2(44r)SG9
Hobgoblin Revision 20, Fortooine Revision 1.32

balaji.bandi · ‎07-31-2021

Attached config guide for reference IOS 15.X

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help