Firewall ASA1: entered code for TACACS+ servers, tested. Test successful. Set up TACACS+ with LOCAL fallback for HTTP and SSH connections, not for console. Logged on with AD account in correct TACACS+ group, firewall in TACACS+ with IP and FQDN, everything works fine.
Firewall ASA2: entered code for TACACS+ servers, tested. Test successful. Set up TACACS+ with LOCAL fallback for HTTP and SSH connections, not for console. Logged on with AD account in correct TACACS+ group, firewall in TACACS+ with IP and FQDN, everything works...
... horribly, horribly wrong. Same code, but the logons fail, both TACACS+ and LOCAL. Console still works, thank {$deity}. Clear code, local accounts now logon via all methods. Re-enter code really really carefully and ONLY turn it on for HTTP and now TACACS+ and LOCAL accounts can log in and not have any enable access, at all. This means HTTP logons fail totally, SSH logons and console sessions get us logged in but unable to execute any commands other than "exit".
Reboot the firewall, and it's back to square one.
What is going on here? I used the same code as on Firewall ASA1, and they're on the same code level. TACACS+ shows successful logons on both firewalls, but ASA1 lets us in and ASA2 denies everyone in every way.
Have you done any aaa debugging?
Couldn't, since we were locked out when we tried it the second time. First time through, we weren't ready to do a debug, since we hoped that we could fix it on the second pass...