General
Found on ASA BETA 9.20(0)28
Symptom
The client ip address is not included in the TACACS+ authentication request message.
This may cause authentication failures depending on the TACACS+ server configuration.
Conditions
- ssh is configured to use the ciscossh stack [ssh stack ciscossh]
- ssh connections are authenticated to a TACACS+ server [aaa-server serverName protocol tacacs+ and aaa authentication ssh serverName]
Workaround
no ssh stack ciscossh
Further Problem Description
It should also be noted that the this issue can be detected for any authentication server type by monitoring syslog. Example:
%ASA-6-611101: User authentication succeeded: IP address: 0.0.0.0, Uname: testuser
