That's correct, but I think it should be looking for my username in the
local database instead of enable_1 username. Here are my aaa configs
aaa-server AUTH-SERVERS protocol tacacs+
accounting-mode simultaneous
aaa-server AUTH-SERVERS (management) host x.x.x.x
key *****
aaa-server AUTH-SERVERS (management) host y.y.y.y
key *****
aaa authentication http console AUTH-SERVERS LOCAL
aaa authentication ssh console AUTH-SERVERS LOCAL
aaa authentication telnet console AUTH-SERVERS LOCAL
aaa authentication enable console AUTH-SERVERS LOCAL
I cannot add the standby ips immediately to test, I have no access to the
tacacs servers.
Fabian
On Thu, Aug 12, 2010 at 12:02 PM, Ryan West <rwest_at_zyedge.com> wrote:
>
>
>
>
> *From:* Fabian Pucciarelli [mailto:fabiangp_at_gmail.com]
> *Sent:* Thursday, August 12, 2010 1:55 PM
> *To:* Ryan West; Cisco certification
> *Subject:* Re: ASA 5520 failover exec mate command
>
>
>
> Thanks for the quick reply. I'll give it a try, so you think the standby
> unit is sourcing the tacacs request from the internal ip? I still don't
> understand why it looks for enable_1 in the local database.
>
> Fabian
>
>
>
> I didn�t have a reference to the ACS setup, like how it�s configured or
> where it�s located. Since the configs are replicated and assuming you have
> standby�s enabled, it seems to be failing authentication and trying to fall
> back to local. Do you have a similar AAA command on your ASA?
>
>
>
> aaa authentication enable console <tacacs_group> LOCAL
>
>
>
> Can you try adding the standby address of your ASA to the TACACS server and
> posting your relevant AAA configs?
>
>
>
> -ryan
>
>
>
--
Regards,
Fabian Pucciarelli
Blogs and organic groups at http://www.ccie.net
Received on Thu Aug 12 2010 - 12:23:32 ART