Unfortunately the ASA doesn't show a good explanation in the error message. It's required to create an RSA key on the ASA, either via console or command line in the ASDM, executing the command crypto key generate rsa
, for example with highest possible modulus size:
crypto key generate rsa modulus 2048
in global configuration mode. The default modulus would be 1024.
With the ASDM it can also be done in the configuration menu, device management, identity certificates, add, new:
Since the other requirements were already met, the connection should be successful.
Since I cannot add images to comments to the question above, here a screenshot about mass bumping comment spam starting with one to this question and answer. That's a screenshot of moderator activity, no action by me.
It looks like, "No". There's nothing specific in TACACS+ to transport a certificate exchange, however an ASCII data payload could suffice. (the RFC is a decade old) The real question is if ACS has any method to handle it? And that also appears to be "no". The only mention I can find to PKI or certificate based authentication is for EAP-TLS, which is not what you want.
Update
I found a single reference in IOS-XR documents:
Note The preferred method of authentication would be as stated in the SSH RFC. The RSA based authentication support is only for local authentication, and not for TACACS/RADIUS servers.
Best Answer
If you have a valid configuration backup you can boot sonicwall in safe mode and change admin password, which is not stored in exported backup file. You have to phisically access the appliace, however... See https://support.software.dell.com/kb/sw8010 So: -find configuration backup -start safe mode in your sonicwall as per kb article -change password -reboot appliance in normal mode -restore configuration