topic Re: Cisco ASA enable password with ISE TACACS+ in Network Access Control

Cisco ASA enable password with ISE TACACS+

vsurresh — Sun, 25 Apr 2021 15:19:49 GMT

Hello.

I'm hoping to get some help with ASA enable password behaviour with ISE + AD. I was trying to google search but can't seem to find the answer.

At the moment we use internal identity source for ASA TACACS+ access. For internal identity users, there is an option to setup enable password. If I leave that field empty, I can't go the privilege exec mode even though the TACACS profile is configured with privilege 15.

My question is, what will happen if I want to use AD groups instead of the internal store? There is no enable password for AD, of course. Is there a way to use the same login password for enable mode as well?

I understand using aaa authorization exec authentication-server auto-enable command will automatically brings me to the privilege prompt but I would like the users to type enable and then go to privilege mode.

ASA aaa configs shown below

aaa authentication ssh console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authentication serial console TACACS LOCAL
aaa authorization command TACACS LOCAL
aaa accounting enable console TACACS-1
aaa accounting serial console TACACS-1
aaa accounting ssh console TACACS-1
aaa accounting telnet console TACACS-1
aaa authorization exec authentication-server 
aaa authentication login-history

Thanks

Re: Cisco ASA enable password with ISE TACACS+

balaji.bandi — Sun, 25 Apr 2021 18:23:28 GMT

What is the issue you encounter now - I do not see any configuration issue high level until we know the issue.

If you like to use AD as the source, you need to configure in ISE with AD Integration, so TACACS will use your AD account as a source for the user to get authenticated.

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

as soon as you enable AAA Local account not longer works, it only fall back if no TACACS server not available or reachable.

aaa authorization exec authentication-server auto-enable - yes your understanding is correct

Re: Cisco ASA enable password with ISE TACACS+

vsurresh — Sun, 25 Apr 2021 18:41:33 GMT

Thanks for your response.

As you can see, for ISE internal users, there is an option to set the enable password alongside login password. If I leave the enable password field empty, I can only login to ASA user-exec mode using the login password. Moving to priv-exec mode keeps failing (I used the same login password for privilege escalation)

What will happen to the enable password when AD is used as the source? On my previous place, I used to type the same AD password for both login and privilege escalation.

Hope this make sense.

Re: Cisco ASA enable password with ISE TACACS+

balaji.bandi — Sun, 25 Apr 2021 18:53:54 GMT

how about this command :

aaa authorization exec LOCAL auto-enable

aaa authorization exec { authentication-server | LOCAL } [ auto-enable ]

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a1.html

auto-enable

Enables administrators who have sufficient authorization privileges to enter privileged EXEC mode by entering their authentication credentials once.

Re: Cisco ASA enable password with ISE TACACS+

vsurresh — Mon, 26 Apr 2021 09:23:25 GMT

Thanks. I just found this guide from 2013. https://community.cisco.com/t5/network-access-control/use-ad-account-for-auth-with-separate-enable-password-stored-on/td-p/2230659

'The command you mentioned would server the same purpose. If you're using AD then your enable password would be same as login password.'

Re: Cisco ASA enable password with ISE TACACS+

balaji.bandi — Mon, 26 Apr 2021 11:52:57 GMT

yes nice to know that what i meant to say - may be missed some how, glad you able to get what you looking ?

Re: Cisco ASA enable password with ISE TACACS+

vsurresh — Wed, 28 Apr 2021 07:25:34 GMT

I haven't tested it yet but should work I believe. Appreciated your help.