Thanks Peterson,

Kn1ghtR1d3rOfD00m · ‎03-29-2017

Hi,

Does anybody knows how to modify the settings for the AAA config on a cisco ASA ?

Currently, I have a Cisco ASA ASA5520, its configured with Radius, below is the current config:

aaa-server Radius_RSA protocol radius
aaa-server Radius_RSA (inside) host 192.168.1.100
aaa authentication telnet console Radius_RSA LOCAL
aaa authentication ssh console Radius_RSA LOCAL
aaa authentication http console Radius_RSA LOCAL

Now, what I want is to enter the following:

***********************************************

aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (inside) host 192.168.1.200
key cisco

aaa authentication enable console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL

aaa accounting command privilege 15 TACACS+
aaa accounting enable console TACACS+
aaa accounting ssh console TACACS+
aaa accounting telnet console TACACS+

What I have tried:

1- I removed the previous config in the following order:

Example:

no aaa-server Radius_RSA (inside) host 192.168.1.100
no aaa authentication telnet console Radius_RSA LOCAL
no aaa authentication ssh console Radius_RSA LOCAL
no aaa authentication http console Radius_RSA LOCAL

As of now, Im still connected to the device,

but then when I enter the tacac+s, Im unable to connect again,

sorry if this explanation confuses more,

Basically, what I want is to be able to remove the RADIUS and apply the new script for TACACS+ being able to login next time or cause when I enter the commands I get multiple errors like: range already exists or errors like authorization fails,

then Im stuck and had to check via console.

so any advice,

Marvin Rhoads · ‎03-30-2017

I've found that I needed to give the list name something distinct from the method. That is, you cannot name the list TACACS+ for method tacacs+. Call it instead something like TAC+ or anything else that's not tacacs+ (case-insensitive).

Also, as a general principle you should have a second session open that's already authenticated and authorized just in case one of the commands you enter locks you out.

Finally, I start my sessions changing aaa methods with "reload in 10". That way if I get totally locked out the device will reload by itself after 10 minutes. If my work is successful, I simply "reload cancel"

Kn1ghtR1d3rOfD00m · ‎03-30-2017

Thanks Marvin,

Let me give it a try now, I will let you know the results,

Regards,

Peterson Santos · ‎04-03-2017

HI Alex,

Marvin is right...so the authentication line should be the last one...

So according to your config, your script should be like this:

aaa authentication enable console ACS-SERVER LOCAL
aaa authentication http console ACS-SERVER LOCAL
aaa authentication ssh console ACS-SERVER LOCAL
aaa authentication telnet console ACS-SERVER LOCAL

aaa accounting enable console ACS-SERVER
aaa accounting ssh console ACS-SERVER
aaa accounting telnet console ACS-SERVER
aaa accounting command privilege 15 ACS-SERVER

*** After these lines you should open a new session to the device with ACS-SERVER credentials (you should be able to login but not issue any command at this time) ***

*** The at the old session, issue the authorization line about to permit the ACS-SERVER users to issue commands ***

aaa authorization command ACS-SERVER LOCAL

Now, test with ACS-SERVER if you're able to issue commands and enter at configuration mode as well.

I hope this works for you.

Regards,

Kn1ghtR1d3rOfD00m · ‎04-03-2017

Thanks Peterson,

Yes, I think the order of operations is what is driving me crazy. Im testing now and so far so good,

what the problem was is that the old radius was still active, so I delete the entire config without losing ssh session and start from fresh like if nothing was there about aaa

so as you guys suggested, that was the last thing and made sure everything was accepted.

Kn1ghtR1d3rOfD00m · ‎03-30-2017

Hi Marvin,

I tried what you suggested, changed the name:

aaa authentication enable console ACS-SERVER LOCAL
aaa authentication http console ACS-SERVER LOCAL
aaa authentication ssh console ACS-SERVER LOCAL
aaa authentication telnet console ACS-SERVER LOCAL

but whenever I entered :

aaa authorization command ACS-SERVER LOCAL
!

aaa accounting enable console ACS-SERVER
aaa accounting ssh console ACS-SERVER
aaa accounting telnet console ACS-SERVER
aaa accounting command privilege 15 ACS-SERVER

I got stucked and then move physically to the console port.

the method for reloading is ok, if I was not able to access via console, but for now, Im not using since I think there is no need to reload it since I have near the rack where the ASA is mounted,

Marvin Rhoads · ‎04-03-2017

Yes - that's expected.

When configuring authorization, as soon as you enter an authorization method list, the device will start checking for authorization - even within an existing session. That's why I check the authentication first.

You should have already setup the authorization profiles in your AAA server(s). When initially deploying, double check authentication. If that works (and you have the associated authorization profiles already preconfigured) you should be able to switch into a new session and verify everything.

change AAA radius to tacacs config without losing control