Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16329
Views
0
Helpful
6
Replies

Cisco ASA TACACS+ enable mode not working

Go to solution
raza555
Level 3
Level 3

‎01-06-2014 08:26 AM - edited ‎03-11-2019 08:25 PM

Hi,

I am configuring the ASA 8.4 with TACACS with below CLI configurations, I can only successfully login to the USER MODE of the ASA via TACACS, but unable to get to the enable mode of the ASA via TACACS. Also ASA is not falling to local enable password either.

Also I can successfully run the "test aaa authentication TACACS+ username abc password password1"

INFO: Authentication Successful

From same ACS TACACS works for both user mode and enable mode for routers/ switches.

Current ASA CLI

~~~~~~~~~~~~~

username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15

enable password [ENTER ENABLE MODE PASSWORD HERE]

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (inside) host [ENTER TACACS+ SERVER IP ADDRESS HERE] [ENTER SECRET KEY HERE] timeout 10

aaa authentication http console TACACS+ LOCAL

aaa authentication ssh console TACACS+ LOCAL

aaa authentication telnet console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+ LOCAL

aaa accounting enable console TACACS+

aaa accounting ssh console TACACS+

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎01-06-2014 05:04 PM

HeyRizwan,

What ACS version are you running??

Make sure you defined the username with a static privilege level of 15 otherwise it will not be able to pass the enable authentication.

If ACS 5.x or higher go to the policy elements: Shell Profile and make sure you have one assigned for a static maximum privilege of 15 and most important that its applied into a access-policy rule

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to raza555

‎01-10-2014 08:52 AM

Hello,

Glad to know that I could help (Remember to mark the question as answered as that was the main topic of this ticket)

Now, moving to the new issue.

aaa authentication enable console TACACS+ LOCAL

This basically tells the ASA use the local usermane and password database not the enable password.

If you want to authenticate using the locally configured enabled password just remove

aaa authentication enable console TACACS+ LOCAL

And you will be always authenticating using the locally configured password.

This is different than from an IOS device that provides the option to use the enable database on the router itself when authenticating~

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

View solution in original post

0 Helpful
6 Replies 6

Go to solution
Collin Clark
VIP Alumni
VIP Alumni

‎01-06-2014 02:15 PM

What does the CLI return after you enter the password foe enable mode? What does it say in logs on the TACACS server?

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni

‎01-06-2014 05:04 PM

HeyRizwan,

What ACS version are you running??

Make sure you defined the username with a static privilege level of 15 otherwise it will not be able to pass the enable authentication.

If ACS 5.x or higher go to the policy elements: Shell Profile and make sure you have one assigned for a static maximum privilege of 15 and most important that its applied into a access-policy rule

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
raza555
Level 3
Level 3
In response to Julio Carvajal

‎01-10-2014 08:36 AM

Hi,

Thanks for assistance. Issue of login to enable-mode via tacacs+ credential is resolved as per your advice as I have found that as soon I configure ACS User Setup-> Advanced TACACS+ Settings-> Max Privilege for any AAA Client->15 instead of “Use Group Level Setting”(which is privilege 15 anyway) then I can login to the firewall enable-mode via tacacs+, successfully.

Now problem is that if I turn off the ACS, then I can successfully login to the firewall user-mode via fallback local-credentials of below username/ password, but I can only login to the enable-mode via password:user123, I am unable to login to the enable-mode via enable-password i.e password2

Configurations:

username user1 password user123 privilege 15

enable password password2

aaa-server TACACS+ protocol tacacs+               

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (inside) host 10.10.10.10

key abc123

aaa authentication http console TACACS+ LOCAL

aaa authentication ssh console TACACS+ LOCAL

aaa authentication telnet console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+ LOCAL

aaa accounting enable console TACACS+

aaa accounting ssh console TACACS+

Problem:

Test-ASA> en

Password: password2

Password:

Password: user123

Test-ASA#

0 Helpful

Go to solution
Julio Carvajal
VIP Alumni
VIP Alumni
In response to raza555

‎01-10-2014 08:52 AM

Hello,

Glad to know that I could help (Remember to mark the question as answered as that was the main topic of this ticket)

Now, moving to the new issue.

aaa authentication enable console TACACS+ LOCAL

This basically tells the ASA use the local usermane and password database not the enable password.

If you want to authenticate using the locally configured enabled password just remove

aaa authentication enable console TACACS+ LOCAL

And you will be always authenticating using the locally configured password.

This is different than from an IOS device that provides the option to use the enable database on the router itself when authenticating~

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
0 Helpful

Go to solution
raza555
Level 3
Level 3
In response to Julio Carvajal

‎02-05-2014 06:33 AM

Hi,

I thought I keep the Discussion in same page as it’s very much related to it.

Please advise that timers I have added below are in Cisco best practices or not. Also what the function of below commands, do you recommend me to add it or not.

aaa-server TACACS+ protocol tacacs+

reactivation-mode timed


~~~~~~~~~~~Please advise timers in below aaa commands~~~~~~~~~~~~~~~~~~~~

username user1 password user123 privilege 15

enable password password2

aaa-server TACACS+ protocol tacacs+               

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (inside) host 10.10.10.10

timeout 6

key abc123

aaa-server TACACS+ (inside) host 10.10.20.10

timeout 6

key abc123

aaa authentication http console TACACS+ LOCAL

aaa authentication ssh console TACACS+ LOCAL

aaa authentication telnet console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+ LOCAL

aaa accounting enable console TACACS+

aaa accounting ssh console TACACS+

0 Helpful

Go to solution
sreeharsha.kamisetty
Level 1
Level 1
In response to raza555

‎11-17-2016 06:34 AM

Hello Rizwan,

thanks for the post, i had a similar situation but tried all the possible solutions. your post was giving me some hope to resolve this issue but not able to find the exact settings on ACS as per your navigation. can you please let me know the version of ACS you figured it out?

ACS User Setup-> Advanced TACACS+ Settings-> Max Privilege for any AAA Client->15 

Regards,

Sreeharsha

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card