topic Authentication ASA/PIX Telnet/SSH access using ACS in Network Access Control

Authentication ASA/PIX Telnet/SSH access using ACS

alecchris — Mon, 11 Mar 2019 01:11:36 GMT

I am trying to get our ACS to authenticate login sessions to our PIX and ASA devices. Can anyone provide a sample configuration that will push all access to these devices to the ACS for TACACS? THE ACS has been configured and is ready for authentication based on username credentials; it is just the configuration on the firewall I am having problems with.

Thanks in advance for any help :- )

Authentication ASA/PIX Telnet/SSH access using ACS

roshan.maskey — Thu, 30 Jun 2011 06:14:15 GMT

Assuming following

ACS-SERVER-IP=172.16.10.25

ACS-SERVER-NAME: TLS-ACS5

ACS-ASA shared secret: mysecret

user-in-acs: myfirewall

password: myasa

Run this command in ASA

aaa-server TLS-ACS5 protocol tacacs+

aaa-server TLS-ACS5 (inside) host 172.16.10.25

key mysecret

aaa authentication ssh console TLS-ACS5 LOCAL

aaa authentication telnet console TLS-ACS5 LOCAL

Test Authentication

test aaa authentication TLS-ACS5 host 172.16.10.25 username myfirewall password myasa

Test result should come OK

Authentication ASA/PIX Telnet/SSH access using ACS

alecchris — Tue, 19 Jul 2011 14:59:36 GMT

Hi thanks for that.

I have tested this on a PIX and everything worked!

Re: Authentication ASA/PIX Telnet/SSH access using ACS

alecchris — Tue, 02 Aug 2011 16:14:15 GMT

Hi Roshan,

Can you advise how I might go about authenticating access to exec-privialge on the FW against the ACS? I cannot find any any configuration examples.

Authentication ASA/PIX Telnet/SSH access using ACS

alecchris — Wed, 03 Aug 2011 10:15:08 GMT

Hi,

After having another look at this this morning the command "aaa authentication enable console TLS-ACS5 LOCAL" can be used to authenticate the users exec-priv password against TACACS+.

🙂

Authentication ASA/PIX Telnet/SSH access using ACS

alecchris — Mon, 08 Aug 2011 12:13:33 GMT

On testing the above even further, I seem to have an issue...

With the following configuration loaded...

aaa-server TLS-ACS5 protocol tacacs+

aaa-server TLS-ACS5 (inside) host 10.0.20.200

key passme123

aaa authentication ssh console TLS-ACS5 LOCAL

aaa authentication telnet console TLS-ACS5 LOCAL

aaa authentication ssh console TLS-ACS5 LOCAL

aaa authentication telnet console TLS-ACS5 LOCAL

aaa authentication enable console TLS-ACS5 LOCAL

With the PIX in communication with the ACS the above works well, with me successfully logging in with credentials added to the ACS.

On testing this further I have taken the link down between the PIX and the ACS (to recreate a failure scenario). I can still login using the internal (LOCAL) username & password. This seems to work fine, however if I try to access the exec-privilege mode (i.e. enable) the PIX does not except the enable password added to the configuration moreover it prefers the same password used for creating the initial user.

username admin-user password adminpass123 encrypted

enable password enablepass123 encrypted

For example; with the above lines in the running configuration of the PIX , I can login into PIX using admin-user and enter the password adminpass123. However, if I try and then go onto access exec-privilege mode (i.e. enable) the PIX does not except the password "enablepass123" put does except "adminpass123"... this is even with "aaa authentication enable console TLS-ACS5 LOCAL" added to the running configuration.

Has anyone else seen this issue on a PIX/FW. Am I missing something from my configuration? Does anyone know of a workaround to this issue or is it just something I have to live with?