https://community.cisco.com/t5/network-access-control/asa-system-context-aaa-authentication-enable/m-p/1848492#M193794 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>It seems that you are hitting the following known issue:</P><P></P><P><A class="jive-link-external-small" href="http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCsw18455">http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCsw18455</A></P><P></P><TABLE border="0" cellpadding="5" cellspacing="2" style="width: 100%;"><TBODY><TR><TD colspan="2" style="font-size: 88%; padding: 8px;"><STRONG>admin context enable mode credentials compared to system context DB </STRONG> </TD></TR><TR><TD style="font-size: 88%; padding: 0px 8px 8px;" valign="top"><BR /> <BR /> <STRONG>Symptom:</STRONG><BR /> <BR /> In multi-mode configuration, user credentials for entering privileged mode <BR />(enable mode) via serial console are not sent to external server for <BR />authentication purpose.<BR /> <BR /> <STRONG><STRONG>Conditions</STRONG>:</STRONG><BR /> <BR /> ASA/PIX is in multi-mode. serial console and enable console authentication <BR />are configured to use external aaa server in admin context.<BR /> <BR /> <STRONG>Workaround:</STRONG><BR /> <BR /> Option 1: Configure enable password in system context.<P></P>Option 2: Avoid the use of the serial console interface and rely on telnet <BR />or ssh console access.&nbsp; From ssh or telnet consoles, attempts to enter <BR />enabled mode will be authenticated as specified by the aaa configuration in <BR />the "admin" context.<P></P><P></P><BR /> <STRONG>Further Problem Description:</STRONG><BR /> <BR /> When authentication is enabled for serial console and for enable console in <BR />admin context via an external aaa server(eg: tacacs+ or radius), serial <BR />console authentcation is done against external aaa server, but enable mode <BR />credentials are compared against enable db in system context.</TD></TR></TBODY></TABLE><P></P><P>Hope this clarifies it. Unfortunately there is no fix yet for this behavior.</P><P></P><P>Regards.</P></BODY></HTML> Mon, 16 Jan 2012 22:51:23 GMT camejia 2012-01-16T22:51:23Z https://community.cisco.com/t5/network-access-control/asa-system-context-aaa-authentication-enable/m-p/1848491#M193762 <P>Hello!</P><P></P><P>We have ASA configured in multi context mode, with software 8.4(2) configured for AAA</P><P>Configuration is admin context as follows:</P><P> aaa-server TAC protocol tacacs+</P><P>aaa-server TAC (management) host 10.162.2.201</P><P> key *****</P><P>aaa authentication enable console TAC LOCAL</P><P>aaa authentication http console TAC LOCAL</P><P>aaa authentication serial console TAC LOCAL</P><P>aaa authentication ssh console TAC LOCAL </P><P></P><P>Because of multiple context, after logging in we enter System context. Console port authentication is working fine except access to privileged mode while connecting over console port. </P><P>After issuing "enable" command ASA accepts only configured enable secret in system context and changes user ID to enable_15, so we are unable to do user-level command authorization and accounting.</P><P>It seems that ASA in system context is not aware of any AAA configuration, and there isn't any command to configure AAA in system context.</P><P></P><P>Is there any way to configure enable authentication over AAA in system context?</P><P></P><P>Thanks in advance!</P> Mon, 11 Mar 2019 01:43:11 GMT https://community.cisco.com/t5/network-access-control/asa-system-context-aaa-authentication-enable/m-p/1848491#M193762 g-oliveira 2019-03-11T01:43:11Z https://community.cisco.com/t5/network-access-control/asa-system-context-aaa-authentication-enable/m-p/1848492#M193794 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>It seems that you are hitting the following known issue:</P><P></P><P><A class="jive-link-external-small" href="http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCsw18455">http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&amp;bugId=CSCsw18455</A></P><P></P><TABLE border="0" cellpadding="5" cellspacing="2" style="width: 100%;"><TBODY><TR><TD colspan="2" style="font-size: 88%; padding: 8px;"><STRONG>admin context enable mode credentials compared to system context DB </STRONG> </TD></TR><TR><TD style="font-size: 88%; padding: 0px 8px 8px;" valign="top"><BR /> <BR /> <STRONG>Symptom:</STRONG><BR /> <BR /> In multi-mode configuration, user credentials for entering privileged mode <BR />(enable mode) via serial console are not sent to external server for <BR />authentication purpose.<BR /> <BR /> <STRONG><STRONG>Conditions</STRONG>:</STRONG><BR /> <BR /> ASA/PIX is in multi-mode. serial console and enable console authentication <BR />are configured to use external aaa server in admin context.<BR /> <BR /> <STRONG>Workaround:</STRONG><BR /> <BR /> Option 1: Configure enable password in system context.<P></P>Option 2: Avoid the use of the serial console interface and rely on telnet <BR />or ssh console access.&nbsp; From ssh or telnet consoles, attempts to enter <BR />enabled mode will be authenticated as specified by the aaa configuration in <BR />the "admin" context.<P></P><P></P><BR /> <STRONG>Further Problem Description:</STRONG><BR /> <BR /> When authentication is enabled for serial console and for enable console in <BR />admin context via an external aaa server(eg: tacacs+ or radius), serial <BR />console authentcation is done against external aaa server, but enable mode <BR />credentials are compared against enable db in system context.</TD></TR></TBODY></TABLE><P></P><P>Hope this clarifies it. Unfortunately there is no fix yet for this behavior.</P><P></P><P>Regards.</P></BODY></HTML> Mon, 16 Jan 2012 22:51:23 GMT https://community.cisco.com/t5/network-access-control/asa-system-context-aaa-authentication-enable/m-p/1848492#M193794 camejia 2012-01-16T22:51:23Z https://community.cisco.com/t5/network-access-control/asa-system-context-aaa-authentication-enable/m-p/1848493#M193853 <HTML><HEAD></HEAD><BODY><P>Hi</P><P></P><P>Thanks for the info.</P><P></P><P>I have used the refred workarround <SPAN __jive_emoticon_name="happy" __jive_macro_name="emoticon" class="jive_macro jive_emote" src="https://community.cisco.com/4.5.4/images/emoticons/happy.gif"></SPAN></P><P></P><P>Thanks for the info </P></BODY></HTML> Tue, 17 Jan 2012 10:14:40 GMT https://community.cisco.com/t5/network-access-control/asa-system-context-aaa-authentication-enable/m-p/1848493#M193853 g-oliveira 2012-01-17T10:14:40Z https://community.cisco.com/t5/network-access-control/asa-system-context-aaa-authentication-enable/m-p/1848494#M193879 <HTML><HEAD></HEAD><BODY><P>Hello,</P><P></P><P>I am glad that the workaround worked for you. If you feel that the accurate answer was provided please mark the thread as answered for future reference for our Community members.</P><P></P><P>Regards.</P></BODY></HTML> Tue, 17 Jan 2012 15:02:56 GMT https://community.cisco.com/t5/network-access-control/asa-system-context-aaa-authentication-enable/m-p/1848494#M193879 camejia 2012-01-17T15:02:56Z https://community.cisco.com/t5/network-access-control/asa-system-context-aaa-authentication-enable/m-p/4296872#M565679 <P>That link above is currently returning:</P><P>&nbsp;</P><H1>503 Service Unavailable</H1><P><SPAN>No server is available to handle this request.</SPAN></P><P>&nbsp;</P><P><SPAN>Updated URL: <A href="https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsw18455" target="_blank" rel="noopener">https://bst.cloudapps.cisco.com/bugsearch/bug/CSCsw18455</A></SPAN></P><P>&nbsp;</P><P>Wow it has been almost 10 years, and this hasn't been addressed and:</P><P><FONT color="#FF6600">&nbsp; &nbsp;"No release planned to fix this bug"</FONT></P> Wed, 24 Feb 2021 12:43:34 GMT https://community.cisco.com/t5/network-access-control/asa-system-context-aaa-authentication-enable/m-p/4296872#M565679 BrianSekleckiGE 2021-02-24T12:43:34Z