topic Re: aaa authentication enable console (server_name) password iss in Network Access Control

aaa authentication enable console (server_name) password issue

stancred — Sun, 10 Mar 2019 22:54:46 GMT

Here is the problem I am experiencing and I hope someone out there is able to help;

I have a ASA5510 (running software Version 8.0(3)). I have enabled remote authentication to our company's TACAC server (which is running TACAC open source supplied by Cisco).

The problem is as follows;

I can telnet to the appliance remote and using my username and password (configured on the TACAC server) I am authenticated. But after entering enable - I am prompted with the password prompt. But I can not get pass this prompt. I have tried the same password as I previous enter at the telnet prompt and failed, the local enable password fails as well. Any suggestion.

aaa-server (server_name) protocol tacacs+

aaa-server (server_name) (interlinkport) host (Address)

key (password)

aaa authentication enable console (server_name) LOCAL

aaa authentication http console (server_name) LOCAL

aaa authentication serial console (server_name) LOCAL

aaa authentication ssh console (server_name) LOCAL

aaa authentication telnet console (server_name) LOCAL

aaa accounting command privilege 15 (server_name)

aaa authorization exec authentication-server

Re: aaa authentication enable console (server_name) password iss

Farrukh Haroon — Tue, 17 Jun 2008 09:33:06 GMT

telnet password = passwd command

enable password = enable command

Try one thing, either remove

aaa authentication enable console (server_name) LOCAL

or change it to:

aaa authentication enable console LOCAL

Then try putting the 'local' enable password at the password prompt.

Regards

Farrukh

Re: aaa authentication enable console (server_name) password iss

stancred — Tue, 17 Jun 2008 10:20:13 GMT

Farrukh - Sorry I should have mention this earlier that I had excuted your recommendation and it does work. But I don't want our engineering team having to referr to paper work for the enbale password.

That is why I want want the enable password to be authenticated by the TACAC.

I believe that the problem is with the parameter on the TACAC server. But I do not know all the syntexts that need to be entered.

I beleive that there must be an additional parameter for the enable privilege.

Re: aaa authentication enable console (server_name) password iss

Farrukh Haroon — Tue, 17 Jun 2008 10:43:12 GMT

Yes I just wanted to double check and rule out every thing else. Which AAA server are you using?

Regards

Farrukh

Re: aaa authentication enable console (server_name) password iss

stancred — Tue, 17 Jun 2008 11:19:53 GMT

My management team informs me that it is open source TACAC supplied by Cisco. I am not sure want version and I am unable to findf out until tomorrow as it is 10:30pm local time.

Wha other info would you like?

Re: aaa authentication enable console (server_name) password iss

Farrukh Haroon — Tue, 17 Jun 2008 11:26:26 GMT

I'm assuming they are talking about 'free tacacs', a sample configuration file can be found at the end of this link:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800946a3.shtml

Regards

Farrukh

Re: aaa authentication enable console (server_name) password iss

stancred — Tue, 17 Jun 2008 11:38:44 GMT

I will try this tomorrow . Just so you know the same username and password work on cisco routers. I have no trouble in telneting and accessing the enable mode.

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

Re: aaa authentication enable console (server_name) password iss

Farrukh Haroon — Tue, 17 Jun 2008 12:07:36 GMT

You arent authenticating the enable password via AAA.

That would require a:

aaa authentication enable ....

Regards

Farrukh

Re: aaa authentication enable console (server_name) password iss

michael.leblanc — Tue, 17 Jun 2008 18:35:48 GMT

With respect to your comments:

"I believe that the problem is with the parameter on the TACAC server. But I do not know all the syntexts that need to be entered.

I beleive that there must be an additional parameter for the enable privilege."

... I understand you are NOT using Cisco Secure ACS, however, the following requirement may exist in your scenario as well:

When configuring enable authentication on a CSACS, you would need to specify "Max Privilege" (i.e.: Level 15) in the "TACACS+ Enable Control" section of "Advanced TACACS+ Settings" for the User's account.

When the AAA Client sends an authentication request to the TACACS server, the "Privilege Level" AV pair is specified. I would expect this criteria to be compared to the user's configuration (i.e.: Max Privilege).

Re: aaa authentication enable console (server_name) password iss

kyliem — Tue, 17 Jun 2008 23:20:32 GMT

Farrukh, that is correct we are (stancred and I) using the 'free tacacs' as you suggested.

Group Definitions:

group = engineer {

default service = permit

service = exec {

# logout after n mins idle

idletime = 15

# grant access level 15

priv-lvl=15

}

And User definitions:

user = {

member = engineer

}

Re: aaa authentication enable console (server_name) password iss

Farrukh Haroon — Wed, 18 Jun 2008 00:43:16 GMT

Do you have this at the top of your file, as per the cisco.com link I sent earlier?

# Enable password setup for everyone:

user = $enable$ {

}

Please note there is slight difference between the PIX and IOS routers, the privilege level feature was never properly implemented in PIX firewalls. So you might need to setup an enable password as above.

Regards

Farrukh

Re: aaa authentication enable console (server_name) password iss

cisco24x7 — Wed, 18 Jun 2008 00:54:03 GMT

I think I can help you here since I've been using Cisco

Freeware TACACS+ for almost 7 years now. I am not

an expert, just enough to be dangerous.

Since the code is open-source, each company uses

differently; however, there is one thing that will

always true. That would be the the enable.c file,

which is a C program. You would need to modify

this file so that EVERYONE can have his/her own

enable password, just like Cisco ACS running on

Windows platforms.

the configuration file would look something like this:

accounting file = /var/log/tac_plus.log

key = zFgGkIooIsZ.Q

user = cciesec {

member = admin

name = "ccie security"

}

user = $cciesec$ {

member = admin

name = "ccie security"

}

group = admin {

default service = permit

}

On the Pix:

aaa-server NEO protocol tacacs+

aaa-server NEO (outside) host 192.168.15.10

timeout 5

key cciesec

aaa authentication ssh console NEO LOCAL

aaa authentication enable console NEO LOCAL

Here is the login sequence:

[root@dca2-LinuxES root]# ssh -l cciesec 192.168.0.25

The authenticity of host '192.168.0.25 (192.168.0.25)' can't be established.

RSA key fingerprint is c2:48:15:85:92:7f:56:15:a8:0f:80:d9:88:50:fd:1c.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.0.25' (RSA) to the list of known hosts.

cciesec@192.168.0.25's password:

Type help or '?' for a list of available commands.

CiscoPix> en

Password: ********

CiscoPix#

In other words, my initial password is "cciesec" and my enable password

is "cciesec1". Another user "tom" will have his own login and enable

password.

Simple enough?

Re: aaa authentication enable console (server_name) password iss

kyliem — Wed, 18 Jun 2008 03:22:50 GMT

Hi cisco24x7

Looking at the enable.c file as suggested, I can see the section for $enable$ or $enab15$ - I assume this is where you are referencing when you mention that we would need to add each user (ie to be tested within the code).

Stupid question - I assume that I would need to have to compile this code once modifications have been made? And as such this is not able to be dynamically updated?

Our environment will not allow for a 'default' enable password across all devices. At most we could specify a default per 'group' of devices (ie per Customer).

Farrukh - As suggested the below config works - however as per my above post it is not acceptable to have a default enable password across all devices (or all pix's)

# Enable password setup for everyone:

user = $enable$ {

}

Thanks

Kylie

Re: aaa authentication enable console (server_name) password iss

Farrukh Haroon — Wed, 18 Jun 2008 07:10:01 GMT

Then you need to go with the solution present by Cisco24X7. You mind find compiling help at the link I posted earlier.

Regards

Farrukh

Re: aaa authentication enable console (server_name) password iss

cisco24x7 — Wed, 18 Jun 2008 10:02:26 GMT

My solution allows everyone to have both his/her own unique

exec and enable password. NO PASSWORD SHARING, just like

Cisco ACS. With Freeware TACACS+, you have ACL in the

configuration to block certain users from accessing certain

devices. In other words, you can do just about whatever

you want.

Last but not least, everytime you make change in the

configuration, you have to restart the tac_plus. That's really

easy. I have multiple tacacs servers and I only make changes

to the master tacacs server configuration files. Since mine

is running on Linux, I can do "service tac_plus restart" or

set a cron job to run every 4 hours to restart the tac_plus

service. The restart takes about 2 seconds. Furthermore,

I also setup another cron to copy the master file over

to other tacacs servers as well, via Secure Copy, very

secure. That way I can achieve redudancies in case my primary

tacacs server goes down, which is very unlikely (This is

NOT a windows environment). The best thing is that

all of this is FREE.

One more thing, you can compile the code to use

One-time Password In Everything (OPIE) as well. Think of

it like two-factor authentication. In this day and age,

sharing enable password is a security violation, IMHO

Re: aaa authentication enable console (server_name) password iss

stancred — Wed, 25 Jun 2008 08:50:16 GMT

problem has been rectified and it was the setting in our TACAC server

Re: aaa authentication enable console (server_name) password iss

Farrukh Haroon — Wed, 25 Jun 2008 12:37:32 GMT

Ok its great to know you have it working now.

Regards

Farrukh

Re: aaa authentication enable console (server_name) password iss

trasheuro — Sun, 10 Aug 2008 03:27:33 GMT

Hi,

I also have the same issues as you've described. Ie - When logging into a pix I can authenticate against tac_plus during first level ssh or telnet authentication, but it wont authenticate with the same users password when attempting to enter enable mode. Michael mentioned above that ACS uses the Max Privilege attributes to achieve what we want, so I'm assuming that some related configuration is required in tac_plus.

It would be great if you can share the tacacs server config setting you used to get it working.

Thanks,

Matt

Re: aaa authentication enable console (server_name) password iss

Farrukh Haroon — Sun, 10 Aug 2008 04:29:05 GMT

You don't need to set the "Max Privilege for any AAA Client." but actually need to set the "Privilege Level" = 15. If you want you can set both to 15. The first option kicks in when you use 'aaa authentication enable....' and the second one when you use ''aaa authorization exec....'.

Regards

Farrukh

Re: aaa authentication enable console (server_name) password iss

trasheuro — Sun, 10 Aug 2008 10:39:45 GMT

Thanks Farrukh,

I'm familiar with those settings in ACS, however as the company I now work for uses the freeware tac_plus I need to know the correspondong commands in tac_plus. Steve Tancred (stancred) mentioned above that he now has a solution, so I would be interested in his tac_plus config if available. Specifically I'm after the enable related commands.

Regards,

Matt