aaa authentication enable console issue

josrankin — Mon, 11 Mar 2019 02:45:16 GMT

I have an ASA5505 running 8.2(5). It is configured with

aaa authentication telnet console xxxxxx LOCAL

and I am able to use my username and password to telnet in, but I then have to use the local enable password to get to privilege exec mode.

I tried configuring aaa authentication enable console xxxxxx LOCAL so that when I try to access privilege exec mode,I would be prompted for my password instead of the enable password, but it doesn't work.

I also tried removing the aaa authentication telnet console xxxxxx LOCAL and telenetted in with the local passwd.

I was prompted for a username and password when trying to get to priv exec mode, but again, the credentials did not work.

Could there be something that needs to be changed on the ACS server to make this work?

Thanks.

aaa authentication enable console issue

nspasov — Thu, 08 Nov 2012 05:49:47 GMT

Hello-

What protocol are you using: Radius or TACACS+

Are you pusing any command authorization rules

Can you post a snip-it of your config

Once you authenticate, have you tried to use "login" vs "enable"

Thank you for rating!

aaa authentication enable console issue

josrankin — Thu, 08 Nov 2012 06:49:50 GMT

Using TACACS+

No command authorization rules are being used

When I add the aaa authentication enable console xxxxxxxx LOCAL command,

and use login instead of enable, I get Login failed if I try to use my credentials.

However, if I use login with the locally configured username and password, it lets me in.

Here is the config (without the aaa authentication enable console command):

User Access Verification

Username: xxx/xxxxxxxxxx

Password: ************

Type help or '?' for a list of available commands.

FW> en

Password: ********

FW# sh ru

: Saved

ASA Version 8.2(5)

terminal width 511

hostname xxxxxxxx

enable password *********** encrypted

passwd *********** encrypted

names

interface Ethernet0/0

switchport access vlan xxx

interface Ethernet0/1

switchport access vlan xxx

shutdown

interface Ethernet0/2

switchport access vlan xxx

interface Ethernet0/3

interface Ethernet0/4

interface Ethernet0/5

interface Ethernet0/6

interface Ethernet0/7

interface Vlanxxx

nameif inside

security-level 100

ip address x.x.x.x x.x.x.x

interface Vlanxxx

nameif OUtside

security-level 0

ip address x.x.x.x x.x.x.x

ftp mode passive

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object udp

protocol-object tcp

group-object TCPUDP

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object udp

protocol-object tcp

group-object TCPUDP

object-group protocol DM_INLINE_PROTOCOL_3

protocol-object ip

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_4

protocol-object ip

protocol-object udp

protocol-object tcp

access-list Outside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 a

ny any inactive

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 a

ny any

access-list OUtside_access_in extended permit object-group DM_INLINE_PROTOCOL_1

any any inactive

access-list OUtside_access_in extended permit icmp any any

access-list OUtside_access_in extended permit object-group DM_INLINE_PROTOCOL_3

any any

pager lines 24

logging enable

logging asdm informational

logging host inside x.x.x.x

mtu inside 1500

mtu OUtside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group inside_access_in in interface inside

access-group OUtside_access_in in interface OUtside

route inside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server xxxxxxxxx protocol tacacs+

aaa-server xxxxxxxxx (inside) host x.x.x.x

key *****

aaa-server xxxxxxxxx (inside) host x.x.x.x

key *****

aaa-server xxxxxxxxx (inside) host x.x.x.x

key *****

aaa authentication http console ******* LOCAL

aaa authentication ssh console ******* LOCAL

aaa authentication telnet console ******* LOCAL

aaa local authentication attempts max-fail 5

http server enable

http x.x.x.x x.x.x.x inside

snmp-server host inside x.x.x.x community ***** version 2c

snmp-server host OUtside x.x.x.x community ***** version 2c

snmp-server host inside x.x.x.x community ***** version 2c

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet x.x.x.x x.x.x.x inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config OUtside

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username ******* password ************** encrypted privilege 15

class-map inspection_default

match default-inspection-traffic

policy-map type inspect dns preset_dns_map

parameters

message-length maximum client auto

message-length maximum 512

policy-map global_policy

class inspection_default

inspect dns preset_dns_map

inspect ftp

inspect h323 h225

inspect h323 ras

inspect rsh

inspect rtsp

inspect esmtp

inspect sqlnet

inspect skinny

inspect sunrpc

inspect xdmcp

inspect sip

inspect netbios

inspect tftp

inspect ip-options

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:

: end

FW#

Thanks.

aaa authentication enable console issue

nspasov — Sat, 10 Nov 2012 03:35:08 GMT

OK so since you are able to login with the TACACS credentials that means that you got the authentication peace done properly. Now since you are not able to get to the exec level then that means that the authorization part is not configured properly on either your ASA and/or ACS. A couple more questions:

1. What version of ACS are you using

2. Are you passing privilege level 15 profile from ACS

3. I am not that good with ASAs but I think you need to add some authorization commands to your ASA as well. Try:

aaa authorization command your_server_name/IP

aaa authorization exec authentication-server

topic aaa authentication enable console issue in Network Access Control

aaa authentication enable console issue

aaa authentication enable console issue

aaa authentication enable console issue

aaa authentication enable console issue