topic Re: AAA problem in ASA in Network Access Control

AAA problem in ASA

piyush_singh — Sun, 10 Mar 2019 23:08:10 GMT

Hi All,

I had configured tacacs on ASA but the problem is when i m trying to telnet it it authenticates me with my username & password on ACS but i cant move onto privilege level 15 as configured on ACS. Its asking me for enable password n not taking the password that is on ACS. I have used Shell Authorization for privilege 15. The configuration done on ASA is:

name 172.30.xx.xx ACS-1

name 172.30.yy.yy ACS-2

aaa-server tacacs+ protocol tacacs+

aaa-server tacacs+ host ACS-1

key cisco

aaa-server tacacs+ host ACS-2

key cisco

aaa authentication telnet console tacacs+ LOCAL

aaa authentication telnet console tacacs+ tacacs+

aaa authentication ssh console tacacs+ LOCAL

aaa authentication enable console tacacs+ LOCAL

enable password V3VzjwYzTRfTLwOb encrypted

username piyush password vkCzRtKCaNG.HI6s encrypted privilege 15

username ideanoc password S0qrUlXOHFcX7LCw encrypted privilege 15

Even added my username & password in local database on ASA as on ACS. Still no progress....

Can any one give his suggestion on the same.

Regards,

Piyush

Re: AAA problem in ASA

Jagdeep Gambhir — Tue, 14 Oct 2008 18:09:39 GMT

Piyush,

ASA do not support exec authorization so you will not fall directly in enable mode the way we do on routers/switches.

http://www.ciscotaccc.com/security/showcase?case=K25224726

But it should let you in using enable password. In acs user set up make sure you have enable password defined and you are using that password.

user set up Edit --->TACACS+ Enable Password and choose option as per your need.

Regards,

~JG

Do rate helpful posts

Re: AAA problem in ASA

piyush_singh — Tue, 14 Oct 2008 19:32:13 GMT

tried doing the same but that also doesnt helps.

Do i need to give:

aaa accounting command privilege 15 tacacs+

to make it privelege 15

Re: AAA problem in ASA

Jagdeep Gambhir — Tue, 14 Oct 2008 19:55:55 GMT

No that command is for accounting.

Make sure you have Max Privilege for any AAA Client is set to 15 in acs group setup.

Do we get any error in failed attempts

Regards,

~JG

Do rate helpful posts

Re: AAA problem in ASA

piyush_singh — Tue, 14 Oct 2008 20:22:23 GMT

ya all that is done level 15 is set in Shell (exec) in group setup & also in Shell Command Authorization Set provided full access...

N i cant find any logs in failed attempts, but can see authentication passed in passed authentication logs..

The link which you had posted is for IOS ver 7.x but i m using 8.0(3)

Regards,

Piyush

Re: AAA problem in ASA

piyush_singh — Tue, 14 Oct 2008 20:25:08 GMT

what i m getting on telnet is:

User Access Verification

Username: piyush

Password: **********

Type help or '?' for a list of available commands.

ICL-PUN-PRIDC1-MPLS-5550ASA1> en

Password: **********

Access denied.

ICL-PUN-PRIDC1-MPLS-5550ASA1>

this might give you some idea.

Re: AAA problem in ASA

Jagdeep Gambhir — Tue, 14 Oct 2008 20:31:58 GMT

I'm not asking for shell priv level 15 but enable privilege. That should be set to 15 in acs--->user set up ----> enable options---> Max Privilege for any AAA Client-->15

Re: AAA problem in ASA

piyush_singh — Tue, 14 Oct 2008 20:46:11 GMT

oh got that.... n that worked man... thanks a lot.