cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
622
Views
0
Helpful
0
Replies
Highlighted
Beginner

TACACS successful but still fallback to Local

Hi All,

 

I need your help, we have enabled TACACS+ on Cisco ASA version 9.6.1, however access is not working. 

Upon further t-shoot I found that the authentication is successful but it is still failing over to the LOCAL database. I am not sure if it is due to the version or bug. I am using the exact same configs on several other ASAs but this is the first one with version 9.6.1. There is a SFR module on this unit but it should not cause any issue with firewall management. 

 

Please assist if I am missing out on something:

 

configuration: //just enabled TACACS on SSH//

aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authentication ssh console AuthInbound LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL

 

aaa-server AuthInbound protocol tacacs+
aaa-server AuthInbound (Inside) host xxx.x.x.xx
timeout 30
key *****

 

Debugs Logs:

 

Feb 13 2018 17:29:33: %ASA-6-113004: AAA user authentication Successful : server =  X.X.X.X : user = a***@***

Feb 13 2018 17:29:33: %ASA-4-409023: Attempting AAA Fallback method LOCAL for Authentication request for user a***@**c : Auth-server group LOCAL unreachable

Feb 13 2018 17:29:33: %ASA-6-113005: AAA user authorization Rejected : reason = User was not found : server = 0.0.0.0 : user = a***@**c : user IP = X.X.X.X

Feb 13 2018 17:29:33: %ASA-6-611102: User authentication failed: IP address:  X.X.X.X, Uname: *****

Feb 13 2018 17:29:33: %ASA-6-611102: User authentication failed: IP address:  X.X.X.X, Uname: *****

Feb 13 2018 17:29:33: %ASA-6-605004: Login denied from  X.X.X.X/46406 to Inside:192.168.12.3/ssh for user "*****"

Feb 13 2018 17:29:33: %ASA-6-315011: SSH session from  X.X.X.X on interface Inside for user "*****" disconnected by SSH server, reason: "Rejected by server" (0x0d)

Thanks and Regards,

 

Kanes.R