topic ACS - ASA Authorization and Accounting in Network Access Control

ACS - ASA Authorization and Accounting

eng.malak — Mon, 11 Mar 2019 02:14:16 GMT

I have some questions regarding authorization and accounting on ASA via ACS server

when I enable the command "aaa authorization command " to control SSH users commands I get locked out on console then i have to configure the console , telnet , and enable to be authenticated via tacacs too , is there any way to authorize SSH via tacacs while keeping Console and telnet authenticated locally or even no authentication ?
i issued accounting command "aaa accounting command TAC" on ASA but i noticed that the ACS just logs commands in configuration mod "privilege 15 " not any show command or privilege 1 , is there any way to fix this ?
does RADIUS support SHELL authorization ?

thanks for your support

ACS - ASA Authorization and Accounting

Amjad Abdullah — Tue, 26 Jun 2012 06:36:31 GMT

Hi,

1-)

You allow your username (or your group) full access in authorization in ACS server. Then you can fully configure your device. After finishing the device you can restrict access back to same user or group.

Do not use the comand "aaa authorization console".

Make sure that the configuration under the "line console 0" is no configured for AAA.

2-)

make sure to configure all levels for accounting.

aaa cccounting comands 0 start-stop group

aaa cccounting comands 1 start-stop group

aaa cccounting comands 15 start-stop group

I think so far you only applied level 15.

3-)

RADIUS does not support shell authorization. This is only supported via TACACS+.

HTH

Amjad

ACS - ASA Authorization and Accounting

eng.malak — Tue, 26 Jun 2012 06:44:56 GMT

Thanks Amjad for your reply

regarding point 1&2 i meant the authorization and accounting on the ASA not the IOS , thanks for point 3

ACS - ASA Authorization and Accounting

Amjad Abdullah — Tue, 26 Jun 2012 06:54:46 GMT

Yup I understand it is on ASA. I never worked with ASA but I think they are almost the same from command line and you can access console and vty lines, no?

ACS - ASA Authorization and Accounting

eng.malak — Tue, 26 Jun 2012 06:59:16 GMT

Unfortunately no , authorization is totally diffrent on ASA .

Re: ACS - ASA Authorization and Accounting

Amjad Abdullah — Tue, 26 Jun 2012 07:17:32 GMT

Sorry for that.

Looking for the config guides I found that you may locally in ASA apply authorization levels to the users authenticating via local DB or via radius!

Here is the link. I hope you find it useful: http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/mgaccess.html#wp1072168

Provide necessary level to the user you are logging with so that enablign authorization still authorize you with the commands you need.

HTH

Amjad

Re: ACS - ASA Authorization and Accounting

Jatin Katyal — Tue, 26 Jun 2012 12:07:53 GMT

1.] Unfortunately, there currently isn't any way to exclude command authorization from the serial/ console or ssh users while having it apply to other access methods in case of ASA. Once you issue this command, it would be applicable for ALL methods like ssh,telnet,enable,http and console. This can be easily achieved in IOS (routers and switches) by creating a method list.

2.] When you configure the aaa accounting command command, each command other than show commands entered by an administrator is recorded and sent to the accounting server or servers. This is a default behaviour on ASA. IOS does send/record all show commands on ACS/Tacacs.

http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a1.html

Regards,

Jatin

Do rate helpful posts-

ACS - ASA Authorization and Accounting

Omdatta pawar — Mon, 30 Jul 2012 06:28:33 GMT

When you login on the device using console , the console user is "enable_15", if your console is lock due to authorization. Create user "enable_15" on ACS server with level 15 access. Also create a eanable_15 as local user too. This is way u will be able to access the device through console, no matter ACS is availabel or not.

ACS - ASA Authorization and Accounting

eng.malak — Wed, 10 Oct 2012 11:07:45 GMT

i configure the ASA as below but still ACS doesn't log for priv.1 commands m any idea ?

aaa authentication telnet console TAC

aaa authentication serial console TAC

aaa authentication enable console TAC

aaa authorization command TAC

aaa accounting telnet console TAC

aaa accounting command TAC

aaa accounting enable console TAC

aaa authorization exec authentication-server

ACS - ASA Authorization and Accounting

Omdatta pawar — Wed, 10 Oct 2012 11:31:16 GMT

create user on ASA with level 15 access, by default ASA create user with level 7 access.

And apply a below command on ASA

aaa-server TAC protocol tacacs+

aaa-server TAC (outside) host

aaa authentication ssh console TAC LOCAL

aaa authentication enable console TAC LOCAL

aaa authentication http console TAC LOCAL

aaa authorization command TAC LOCAL

aaa accounting ssh console TAC

aaa accounting enable console TAC

aaa accounting command TAC

ACS - ASA Authorization and Accounting

eng.malak — Wed, 10 Oct 2012 11:42:10 GMT

i'm sure that i'm useing priv.15 user as below

ASA1# sh curpriv

Username : fwuser1

Current privilege level : 15

Current Mode/s : P_PRIV

ASA1#

but unfortunately still not working

ACS - ASA Authorization and Accounting

Omdatta pawar — Wed, 10 Oct 2012 11:53:25 GMT

user "fwuser1" is tacacs or local user?

Check is tacacs rechable?

hey eng.malak,

Kn1ghtR1d3rOfD00m — Sun, 02 Apr 2017 00:07:12 GMT

hey eng.malak,

were the steps above by creating a locallly user on the asa solved the problem? I have the same problem. havent tried yet, but I will do it on Monday.