Thanks, Steven, I figured it. My fault ;) From: Steven van Jaarsveld [mailto:[email protected]] Sent: 09 January 2012 23:04 To: Eugene Pefti Subject: RE: ASA firewall as AAA client in ACS
Hi Eugene Have a look under the Group settings to see whether a different Secret has been configured for the Group as this overrides the manual Secret when you add the FW. Regards Steven From: [email protected] [mailto:[email protected]] On Behalf Of Eugene Pefti Sent: 08 January 2012 10:54 PM To: ccie security Subject: [OSL | CCIE_Security] ASA firewall as AAA client in ACS Hello guys, My curiosity needs to be satisfied once again. I may be doing it wrong but I wish to know why it doesn't work the way I was thinking. Anyways, there's ACS42 with FIREWALLS network device group defined in Network Interface section. Then I add the ASA firewall as AAA client under this FIREWALLS NDG specifying the name of the ASA, IP address, the shared key and TACACS+ as the protocol. The ASA is configured accordingly to match the above said: aaa-server ACS42 protocol tacacs+ aaa-server ACS42 (inside) host 192.168.1.152 key cisco123 When I test a user authentication from the ASA against this ACS server I end up with the shared key mismatch: LABASA(config)# test aaa-server authen ACS42 host 192.168.1.152 username cisco$ INFO: Attempting Authentication test to IP address <192.168.1.152> (timeout: 12 seconds) ERROR: Authentication Server not responding: AAA decode failure.. server secret mismatch But when I enter the ASA as an AAA client not belonging to any NDG in ACS the authentication goes through without any problems, i.e. the ASA is added under (Not Assigned) NDG. As a comparison, when I do the same thing with the router, i.e. adding the router to the specific NDG the authentication goes through as a charm. Eugene
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
