topic Hi,With this configuration , in Network Security

Why "enable password" is different when I log onto ASA using telnet ?

eigrpy — Tue, 12 Mar 2019 06:31:36 GMT

The configuraiton in the ASA is as below:

aaa authentication enable console TACATS LOCAL
aaa authentication telnet console LOCAL
username cisco password cisco
telnet 0.0.0.0 0.0.0.0 inside

Do you think the enable password is different when I use SSH or telnet to log onto the ASA? Both ssh and telnet can log onto the asa, and it can pass enable password(tacacs server password and username), but enable password fail if i use telnet log onto the ASA

Hi,this is my config, which

Richard Bradfield — Tue, 01 Sep 2015 01:00:09 GMT

Hi,

this is my config, which works ok I need a local enable password for telnet/ssh

aaa authentication http console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL

enable password .qlnV1D9xc02BByd encrypted

HTH

Richard

Hi,With this configuration ,

Vibhor Amrodia — Tue, 01 Sep 2015 01:23:24 GMT

Hi,

With this configuration , the Username/Password to login to the SSH.TElnet will be the TACACS credentials.

Enabled password would be the one that you have configured locally.

Thanks and Regards,

Vibhor Amrodia

After telnet log onto the ASA

eigrpy — Tue, 01 Sep 2015 13:16:48 GMT

After telnet log onto the ASA, it seems telnet requires the enable password which is different with ssh' enable password. Do you agree ? Thanks

Hi,No , The enable password

Vibhor Amrodia — Tue, 01 Sep 2015 15:41:18 GMT

Hi,

No , The enable password would be the same for both as that is a global password to move into the Enable mode.

Thanks and Regards,

Vibhor Amrodia

Thanks for your reply. I

eigrpy — Tue, 01 Sep 2015 19:59:10 GMT

Thanks for your reply. I think you are right.

Now, It is very strange regarding the command "aaa authentication enable console TACACS LOCAL", When I am using the command, ssh can pass enable password, but telnet cannot pass enable password. Then I remove TACACS from the command, the situation is reverse: telnet canpass enable password, and ssh cannot pass enable password. What is wrong ?

Here is full config:

aaa authentication ssh console TACACS LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console TACACS LOCAL
aaa accounting enable console TACACS
aaa accounting ssh console TACACS

I got it. After I add TACACS

eigrpy — Tue, 01 Sep 2015 20:31:25 GMT

I got it. After I add TACACS to command aaa authentication telnet console LOCAL, it can work. but i do not know the reason.

Hi,Let me try to clarify

Vibhor Amrodia — Tue, 01 Sep 2015 21:00:29 GMT

Hi,

Let me try to clarify things here:-

aaa authentication ssh console TACACS LOCAL
aaa authentication telnet console LOCAL
aaa authentication enable console TACACS LOCAL

These commands are only to instruct the ASA device to tell the ASA where to look for the Username/Password information.

Now , as a test , try this:-

Create same username/Password in TACACS server and on the ASA LOCAL database.

Configure these commands:-

aaa authentication ssh console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication enable console TACACS LOCAL

Now , try to check if both of them works or not ?

The problem which you might be seeing was that the TACACS and LOCAL database would be having different Username/Password combinations.

Thanks and Regards,

Vibhor Amrodia

Thank you so much. You might

eigrpy — Tue, 01 Sep 2015 21:05:43 GMT

Thank you so much. You might not have seen my updated last post. I got the same as you suggested.

aaa authentication ssh console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication enable console TACACS LOCAL

These can work well. Thank you