topic Check Local account before AAA tacacs+ in Network Security

Check Local account before AAA tacacs+

Andrew Sinclair — Tue, 12 Mar 2019 01:46:17 GMT

Hello,

Being a service provider we like to keep our logins seperate from clients, we have our own tacacs+ for accessing cisco devices, however we need to give access to a client so they are able to see the read only configuration of their firewall.

Problem: We need to create a local user on the asa for the client hoever the ASA is checking tacacs+ first of all and returning a no user reply. Is there a way to check local user accounts before it checks the tacacs+ entry?

Any help will be appreciated.

Thanks,

Check Local account before AAA tacacs+

JohnTylerPearce — Mon, 20 May 2013 15:33:56 GMT

Andrew,

Yes there is.

For Example:

let's just say this is a router with customer-access

----

aaa authentication login CUST_ACCESS local tacacs+

line vty 0 4

Then, you would have to configure the privilege level of the customer who will have access.

I also believe, that they will only see the commands, that there privilege level has access too.

Check Local account before AAA tacacs+

Andrew Sinclair — Mon, 20 May 2013 15:53:23 GMT

Hi John,

Thanks for the reply, we can do this on a router however it doesn't work on an ASA.

Many thanks,

Check Local account before AAA tacacs+

JohnTylerPearce — Mon, 20 May 2013 16:26:27 GMT

Andrew,r

My Bad.......(Embarrased)

Well. You should be able to create a local user account, and assign it a specify privilege level.

Will customers be connecting via SSH, Telnet, or HTTPS?

Then you should be able to assign only specific commands to the privilege level.

Check Local account before AAA tacacs+

kussriva — Tue, 21 May 2013 07:55:10 GMT

HI,

Unlike the Cisco IOS devices, the Cisco ASA does not give you the option to check the local user database first before checking the aaa server.

If you use a AAA server group for authentication, you can configure the ASA to use the local database as a fallback method if the AAA server is unavailable. Specify the server group name followed by LOCAL to do the configuration.

If you are looking to limit the admin access for users, you can check the "Limiting User CLI and ASDM Access with Management Authorization" in the ASA CLI configuration guide.

http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html

Here are the different tacacs attributes you can use:

PASS, privilege level 1—Allows access to ASDM, with limited read-only access to the configuration and monitoring sections, and access for show commands that are privilege level 1 only.

–PASS, privilege level 2 and higher—Allows access to the CLI when you configure the aaa authentication {telnet | ssh} console command, but denies ASDM configuration access if you configure the aaa authentication http console command. ASDM monitoring access is allowed. If you configure enable authentication with the aaa authentication enable console command, the user cannot access privileged EXEC mode using the enable command. You are not allowed to access privileged EXEC mode using the enable command if your enable privilege level is set to 14 or less.

–FAIL—Denies management access. You cannot use any services specified by the aaa authentication console commands (excluding the serial keyword; serial access is allowed.

Regards,

Kush