topic Re: Aaa for serial login in asa in Network Security

Aaa for serial login in asa

Alfredcfc — Thu, 02 Apr 2020 01:12:42 GMT

Do we need to enable aaa for serial login?.

Currently I have not enabled and it's blank, when I queried the cisco tac whether not having a aaa config for serial cable while having it for others such sab and ht woud work he said.

He said when I connect serial cable to the asa nothing will prompted no username no passowrd no enable password.

Is this correct ?.

We are going for an upgrade I don't want to lockout the asa firewall in the middle of an upgrade,

the current config looks something like this

#aaa ssh console Tacacs+ local

#aaa http console Tacacs+ local

#aaa authorization Tacacas+ local

#aaa authorization enable auth-sever local

#aaa accounting Tacacs+

Re: Aaa for serial login in asa

Cristian Matei — Thu, 02 Apr 2020 05:47:56 GMT

Hi,

Are you doing the upgrade from the console or remote via SSH for example? Post the complete aaa config from the ASA, one missing command or wrongly presented by you, and you could get wrong instructions. For example, there is no "aaaa authorisation enable".

Regards,

Cristian Matei.

Re: Aaa for serial login in asa

Alfredcfc — Sat, 04 Apr 2020 14:30:53 GMT

The upgrade will be done remotely,

The aaa config is :

aaa authentication enable console TACACS LOCAL
aaa authentication http console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authorization command TACACS LOCAL
aaa accounting enable console TACACS
aaa accounting ssh console TACACS

Re: Aaa for serial login in asa

Cristian Matei — Sat, 04 Apr 2020 16:21:27 GMT

Hi,

If you have that configuration and remotely login to the ASA to perform the upgrade, you will only loose access to the ASA as a part of the restart process; when it comes back online, you'll be able to login again. Ensure to use the "verify /md5" and "verify /sha512" to ensure the new image is not corrupted.

Regards,

Cristian Matei.

Re: Aaa for serial login in asa

Sheraz.Salim — Sat, 04 Apr 2020 19:20:38 GMT

I have tested in my lab.

you should be fine.

ASA
!
username admin password cisco priv 15
!
aaa-server ISE protocol tacacs+
aaa-server ISE (mgmt) host 150.1.7.212
key cisco
!
aaa authentication ssh console ISE LOCAL
aaa authentication enable console ISE LOCAL
aaa authentication http console ISE LOCAL
aaa authentication telnet console ISE LOCAL
!
aaa authorization command ISE LOCAL
aaa authentication secure-http-client
aaa authorization exec authentication-server auto-enable
aaa authorization http console ISE
!
aaa accounting ssh console ISE
aaa accounting serial console ISE
aaa accounting enable console ISE
aaa accounting command ISE
aaa accounting telnet console ISE

Re: Aaa for serial login in asa

Alfredcfc — Sun, 05 Apr 2020 02:33:19 GMT

To cover all bases what if the ASA loses all it's connection and we have to login via the serial console physically.

Would this config work?

Re: Aaa for serial login in asa

Pulkit Saxena — Sun, 05 Apr 2020 06:31:54 GMT

Hi Alfred,

With the current ASA configuration, you should not be facing any authentication issues on serial port.
However if you are upgrading remotely one of the used cases that we have seen is that sometimes reachability to AAA server is lost temporarily, so you should be having a local username configured on the device, this will help in the fallback mechanism.

Here is a link to command reference which talks about this command :
https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a1.html#pgfId-1594161

Go ahead with the upgrade. Good Luck!!

-
Pulkit

Re: Aaa for serial login in asa

Alfredcfc — Sun, 05 Apr 2020 08:10:19 GMT

hi Saxena,

Thanks for the info,

For my understanding what will happen when i connect to the serial port since I have not enabled any aaa for the serial port, I wouldn't be prompt for any the login username, password and enable password?

Re: Aaa for serial login in asa

Sheraz.Salim — Sun, 05 Apr 2020 09:09:12 GMT

earlier in post you mentioned your config

aaa authentication enable console TACACS+ LOCAL

This basically tells the ASA use the local usermane and password database not the enable password.

If you want to authenticate using the locally configured enabled password just remove

aaa authentication enable console TACACS+ LOCAL

now if this below config still exist on production which going to upgrade. in that case you will

aaa authentication enable console TACACS LOCAL
aaa authentication http console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authorization command TACACS LOCAL
aaa accounting enable console TACACS
aaa accounting ssh console TACACS


aaa authentication serial console LOCAL ISE

than local user authentication come in place.

Re: Aaa for serial login in asa

Pulkit Saxena — Sun, 05 Apr 2020 10:54:36 GMT

Hi Alfred,

So i just checked this out, with your configuration, ASA being a security device it will still prompt for enable option on console.
When you will put "enable", which is tied to a username and not to a device on AAA server, it will point to username/password on the screen, which you will have to put.
So in your case, when you will connect to console/serial, you will type "enable", and this will prompt to username/password option.
So as a backup, you can configure a local username/password with privilege 15, and local enable password as well.
This will ensure that in case after a reboot, AAA server is not reachable, local credentials will let you in the box.

Hope this helped.

-
Pulkit
Please keep rating helpful posts.

Re: Aaa for serial login in asa

Alfredcfc — Sun, 05 Apr 2020 17:12:30 GMT

Hi salim,

Thanks for your input, If I am understanding correctly you are meaning to say that the command:

aaa authentication enable console TACACS+ LOCAL

will authenticate the enable password typed by the user with TACACS+ database in the ISE server.

So for me to login in to the serial port with using the local username and password do I have to configure the below command ?.

aaa authentication serial console LOCAL.

But when i type the >enable command the password i will use will be sent to the TACACS+ server and I will not be able to login because the below command is still active.

aaa authentication enable console TACACS+ LOCAL

I don't want to remove the above command because I want all users enable pass to be authenticated by TACACS+ ISE server,

Re: Aaa for serial login in asa

Alfredcfc — Sun, 05 Apr 2020 17:15:04 GMT

Will I be prompted for username and password ?. since I have not configured the below command for serial authentcation

aaa authentication serial console

This is my doubt I have never logged into the serial port before.

Re: Aaa for serial login in asa

Pulkit Saxena — Mon, 06 Apr 2020 07:32:29 GMT

Hi Alfred,

You will be prompted because you have "aaa authentication enable console TACACS+ LOCAL", however enable is binded with username, so ASA will send you a username/password prompt which you can put.

Long story short, if after upgrade ASA is reachable to AAA server, console access will work with any user configured on AAA server. For backup in case AAA server reachability has some issues, configure a local username and password and you will be good to go.

-
Pulkit