topic Re: Authentication on ASA in Network Security

Authentication on ASA

Kevin Melton — Mon, 11 Mar 2019 15:31:59 GMT

I have a customer whom is currently using TACACS to authenticate incoming Admin session requests to the ASA appliance. Currently is uses TACACS and prompts for a username and password when you SSH to the box. Once authenticated, and then to enter priveleged EXEC mode after issuing the >enable command, the user will enter his/her password again to go to PRIV EXEC mode.

We want to change this scenario a bit. We still want the ASA to query the TACACS server to validate the user. But thereafter we want to use the LOCAL enable password on the ASA as the password to be referenced for PRIV EXEC mode.

What command will tell the ASA to reference the enable password, and not use TACACS?

Re: Authentication on ASA

Collin Clark — Wed, 13 May 2009 18:07:51 GMT

I don't believe you can configure that in the ASA. You can configure it in your AAA server. Here's a screenshot from ACS. You would use

Re: Authentication on ASA

Kevin Melton — Wed, 13 May 2009 19:00:54 GMT

Can you point me to where this is on the ACS box? And what version of ACS are you running. We were looking for this option on the ACS box and to this point unable to find it.

thx

Re: Authentication on ASA

Collin Clark — Wed, 13 May 2009 19:11:16 GMT

Check under the individual user account.

Re: Authentication on ASA

Alexei_Popik — Wed, 10 Jun 2009 16:15:36 GMT

Hello. I'd like to join your conversation, because I have same problem.

I configure 'Use separate password', and now this password used for enable command. By the question was how to configure for using 'enable password' in Asa configuration? Or I need to configure 'Asa enable password' for all user accounts in ACS database as 'separate password' line?

Re: Authentication on ASA

Collin Clark — Wed, 10 Jun 2009 17:32:02 GMT

Good question. I could not get it to work other than your suggestion of configure 'Asa enable password' for all user accounts in ACS database as 'separate password' line Thaat actually makes sense since the ASA is using AAA authentication and the enable password is local.

Re: Authentication on ASA

Alexei_Popik — Thu, 11 Jun 2009 07:47:12 GMT

Thanks. One more question.

Is it possible login to Asa direct to priv. 15?

It worked with routers, but not with Asa.

Re: Authentication on ASA

Collin Clark — Thu, 11 Jun 2009 12:22:10 GMT

No you can't. It's a security feature.

Re: Authentication on ASA

Kevin Melton — Mon, 15 Jun 2009 12:59:07 GMT

Collin

I appreciate your input on this to this point.

I am still having difficulty locating the screen from your screen shot. Is there a chance that you could provide the exact path.

I did not see it at the path "Administration Control>Administrators>(username) which is where I thought it would be.

Thanks again

Re: Authentication on ASA

Collin Clark — Mon, 15 Jun 2009 13:08:05 GMT

Try-

>User Setup>[USERNAME]

It's under the properties of the individual user.