Radius authentication still working after being disabled on Cisco ASA

glezJos91986 · ‎02-16-2021

We recently moved from RADIUS (Windows NPS server) to TACACS (Cisco ISE) for our Cisco ASAs authentication. We removed from the ASA all RADIUS related config, and right now we only have TACACS configured as shown below.

For some reason we are still able to access the firewalls using the RADIUS credentials!!!!!!!! I don't know how is that working. I ran a debug aaa authentication and debug radius, accessed the firewalls using radius credentials and did not get any logs at all, I did the same thing using tacacs credentials, and I was able to see the logs from the debug command, I don't understand if there is some kind of bug or if I am missing something obvious here, any advice? Thank you in advance!!

aaa-server isetacacs protocol tacacs+
aaa-server isetacacs (mgmt) host 192.168.1.1

aaa-server isetacacs (mgmt) host 192.168.1.2
aaa authentication serial console LOCAL
aaa authentication ssh console isetacacs LOCAL
aaa authentication http console isetacacs LOCAL
aaa authorization exec authentication-server auto-enable

joseponceiii · ‎02-17-2021

Hi,

Were you also be able to see these on ISE live logs when you login? What can you see?

I mean, are the TACACS credentials also working?

glezJos91986 · ‎02-17-2021

TACACS credentials are also working, I am able to see the tacacs logs in both the ASA ( debug aaa authentication) and ISE.

Not able to see RADIUS logs anywhere, even though is working.!!!

(RADIUS server is running in a Domain Controller as a NPS, not ISE)