Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
3012
Views
0
Helpful
4
Replies

Check Local account before AAA tacacs+

Andrew Sinclair
Level 1
Level 1

‎05-20-2013 07:40 AM - edited ‎03-11-2019 06:46 PM

Hello,

Being a service provider we like to keep our logins seperate from clients, we have our own tacacs+ for accessing cisco devices, however we need to give access to a client so they are able to see the read only configuration of their firewall.

Problem: We need to create a local user on the asa for the client hoever the ASA is checking tacacs+ first of all and returning a no user reply. Is there a way to check local user accounts before it checks the tacacs+ entry?

Any help will be appreciated.

Thanks,

Labels:
0 Helpful
4 Replies 4

JohnTylerPearce
Level 7
Level 7

‎05-20-2013 08:33 AM

Andrew,

Yes there is.

For Example:

let's just say this is a router with customer-access

R1

----

aaa authentication login CUST_ACCESS local tacacs+

line vty 0 4

login authentication CUST_ACCESS

Then, you would have to configure the privilege level of the customer who will have access.

I also believe, that they will only see the commands, that there privilege level has access too.

0 Helpful

Andrew Sinclair
Level 1
Level 1
In response to JohnTylerPearce

‎05-20-2013 08:53 AM

Hi John,

Thanks for the reply, we can do this on a router however it doesn't work on an ASA.

Many thanks,

0 Helpful

JohnTylerPearce
Level 7
Level 7
In response to Andrew Sinclair

‎05-20-2013 09:26 AM

Andrew,r

My Bad.......(Embarrased)

Well. You should be able to create a local user account, and assign it a specify privilege level.

Will customers be connecting via SSH, Telnet, or HTTPS?

Then you should be able to assign only specific commands to the privilege level.

0 Helpful

kussriva
Level 1
Level 1

‎05-21-2013 12:55 AM

HI,

Unlike the Cisco IOS devices, the Cisco ASA does not give you the option to check the local user database first before checking the aaa server.

If you use a AAA server group for authentication, you can configure the ASA to use the local database as a fallback method if the AAA server is unavailable. Specify the server group name followed by LOCAL to do the configuration.

If you are looking to limit the admin access for users, you can check the "Limiting User CLI and ASDM Access with Management Authorization" in the ASA CLI configuration guide.

http://www.cisco.com/en/US/products/ps6120/products_installation_and_configuration_guides_list.html

Here are the different tacacs attributes you can use:

PASS, privilege level  1—Allows access to ASDM, with limited read-only access to the  configuration and monitoring sections, and access for show commands that are privilege level 1 only.

PASS, privilege level 2 and higher—Allows access to the CLI when you configure the aaa authentication {telnet | ssh} console command, but denies ASDM configuration access if you configure the aaa authentication http console command. ASDM monitoring access is allowed. If you configure enable authentication with the aaa authentication enable console command, the user cannot access privileged EXEC mode using the enable command. You are not allowed to access privileged EXEC mode using the enable command if your enable privilege level is set to 14 or less.

FAIL—Denies management access. You cannot use any services specified by the aaa authentication console commands (excluding the serial keyword; serial access is allowed.

Regards,

Kush

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card