ASA 5512 Privilege levels and TACACS+

John-James Lavery — Wed, 13 Mar 2019 00:45:26 GMT

Hello!

I am currently using the open source TACACS+ server called "tac_plus" for Linux distributions. I have configured the configuration file correctly, I am able to log into ASDM using the one of the account's credentials created without an issue with a privilege level of 15. The other account in the file has a privilege level of 5, when I login using those credentials the privilege level is also level 15. How can I configure my ASA to reflect the correct privilege level in the tac_plus configuration file? The following is my ASA configuration:

ASA Version 9.1(2)
!
hostname TACTESTASA
enable password 2KFQnbNIdI.2KYOU encrypted
passwd 2KFQnbNIdI.2KYOU encrypted
names
!
interface GigabitEthernet0/0
nameif Private
security-level 100
ip address dhcp setroute
!
interface GigabitEthernet0/1
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/2
shutdown
no nameif
no security-level
no ip address
!            
interface GigabitEthernet0/3
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/4
shutdown
no nameif
no security-level
no ip address
!
interface GigabitEthernet0/5
shutdown
no nameif
no security-level
no ip address
!
interface Management0/0
management-only
nameif Management
security-level 0
ip address 192.168.1.1 255.255.255.0
!            
ftp mode passive
object-group protocol DM_INLINE_PROTOCOL_1
protocol-object ip
protocol-object icmp
object-group protocol DM_INLINE_PROTOCOL_2
protocol-object ip
protocol-object icmp
access-list Private_access_in extended permit ip any any
access-list Private_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any
access-list global_access extended permit object-group DM_INLINE_PROTOCOL_2 any any
pager lines 24
logging enable
logging asdm informational
mtu Private 1500
mtu Management 1500
icmp unreachable rate-limit 1 burst-size 1
no asdm history enable
arp timeout 14400
no arp permit-nonconnected
access-group Private_access_in in interface Private
access-group global_access global
timeout xlate 3:00:00
timeout pat-xlate 0:00:30
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute
timeout tcp-proxy-reassembly 0:01:00
timeout floating-conn 0:00:00
dynamic-access-policy-record DfltAccessPolicy
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (Private) host 141.254.1.81
key *****
user-identity default-domain LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa accounting enable console TACACS+
aaa accounting serial console TACACS+
aaa accounting ssh console TACACS+
aaa accounting telnet console TACACS+
aaa accounting command TACACS+
http server enable
http 0.0.0.0 0.0.0.0 Management
http 0.0.0.0 0.0.0.0 Private
no snmp-server location
no snmp-server contact
snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart
crypto ipsec security-association pmtu-aging infinite
crypto ca trustpool policy
telnet timeout 5
ssh 141.254.69.0 255.255.255.0 Private
ssh timeout 5
ssh key-exchange group dh-group1-sha1
console timeout 0
dhcp-client client-id interface Private
threat-detection basic-threat
threat-detection statistics access-list
no threat-detection statistics tcp-intercept
ssl encryption aes128-sha1 3des-sha1
username test password P4ttSyrm33SV8TYp encrypted privilege 15
username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15
username netopns password rgNS3pxkpx9OSJMI encrypted
!
!
prompt hostname context
no call-home reporting anonymous
call-home
profile CiscoTAC-1
  no active
  destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService
  destination address email callhome@cisco.com
  destination transport-method http
  subscribe-to-alert-group diagnostic
  subscribe-to-alert-group environment
  subscribe-to-alert-group inventory periodic monthly 5
  subscribe-to-alert-group configuration periodic monthly 5
  subscribe-to-alert-group telemetry periodic daily
Cryptochecksum:b7c3663328a68bae62d7693a14664509
: end

tac_plus configuration is as follows:

# ENCYPTION KEY
accounting file = /var/log/tac_plus.acct
key = cisco

# * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
# *                       GROUPS                          *
# * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

group = admin {
    default service = permit
    service = exec {
    priv-lvl = 15
    }
}

group = NETOPS {
    default service = permit
    service = exec {
    priv-lvl = 15
    }
}

group = LAN_SERVICES_EXEC {
    default service = permit
    service = exec {
    priv-lvl = 15
    }
}

group = LAN_SERVICES {
    default service = permit
    service = exec {
    priv-lvl = 5
    }
}

group = SERVICE_ACCOUNTS {
    default service = permit
    service = exec {
    priv-lvl = 15
    }
}


# * * * * * * * * * * * * * * * * * * * * * * * * * * * * *
# *                     USERS                             *
# * * * * * * * * * * * * * * * * * * * * * * * * * * * * *

#       * * * * * * * * * * * * * * * * * * * * *
#       *               Test Users              *
#       * * * * * * * * * * * * * * * * * * * * *

user = tester {
    member = admin
    login = des dxhK2jj6hRKzc
}

#       * * * * * * * * * * * * * * * * * * * * *
#       *            LAN Services Users         *
#       * * * * * * * * * * * * * * * * * * * * *

user = User1 {
    member = LAN_SERVICES_EXEC
    login = des 0ckqZkWPnQs7M
}

user = User2 {
    member = LAN_SERVICES
    login = des wi/dh6RXNkaYU
    cmd = show {
        permit .*
   }       
}

#       * * * * * * * * * * * * * * * * * * * * *
#       *            Service Account Users      *
#       * * * * * * * * * * * * * * * * * * * * *

user = Admin{
    member = SERVICE_ACCOUNTS
    login = des 4AXsNOYop30Mw
}

Any help would be appreciated, please let me know if you need more information.

I'm also experiencing same

fatalXerror — Wed, 13 May 2015 15:59:41 GMT

I'm also experiencing same issue but I use ACS 5.5 I already troubleshoot everything but no luck. I hope I can get some answers here. 😞

Bump Anybody have any

John-James Lavery — Tue, 26 May 2015 12:09:56 GMT

*Bump* Anybody have any information on how to go about solving this issue?

topic ASA 5512 Privilege levels and TACACS+ in Network Access Control

ASA 5512 Privilege levels and TACACS+

I'm also experiencing same

*Bump* Anybody have any

Bump Anybody have any