cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

210
Views
0
Helpful
6
Replies
Beginner

enter privileged EXEC mode on the ASA console

I'd like to enter privileged EXEC mode on the ASA console through TACACS+ and ISE

The login works but when I enter 'enable' the authentication on ISE fails.

The TACACS log on ISE shows that the TACACS protocol contains "Authentication Service -> Enable" instead of "Authentication Service -> Login". Do I have to build an own policy for that?

 

Regards

Wolfgang

6 REPLIES 6
Highlighted
VIP Collaborator

Re: enter privileged EXEC mode on the ASA console

 

 - If you are talking about the native console then I discourage this in order to be able to access your device at all times when the surrounding authentication services would be unavailable. Such purposes should be seen as the main goal of the native console (use a local user).

 M.

Highlighted
Beginner

Re: enter privileged EXEC mode on the ASA console

I agree, for this reason serial and enable are configured to use ISE and local user:

aaa authentication serial console ISE LOCAL
aaa authentication enable console ISE LOCAL
Highlighted
VIP Collaborator

Re: enter privileged EXEC mode on the ASA console

 

 - Good to hear, but even then with that configuration, it would be wise to check if the culprit does not remain in place, ,,,, (would the fallback actually work, when needed,....)

 M.

Highlighted
Beginner

Re: enter privileged EXEC mode on the ASA console

Yes, of course, I will check if the fallback actually works, but I have to solve the above mentioned problem first.

Highlighted
VIP Collaborator

Re: enter privileged EXEC mode on the ASA console

 

 - Have  a look at the below document (link) : I would presume that you just need to configure PermitAllCommands , in the section 

                   Configuring TACACS Command Sets

 https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html#anc11

 M.

Highlighted
Cisco Employee

Re: enter privileged EXEC mode on the ASA console

Hi Wolfgang,

I had a similar question from a recent customer and wanted to share those findings and workarounds here.

Unfortunately, the ASA does not support separate AAA sequence lists (like routers/switches), so there is no way to separate out or exempt command authorization for the serial console. Once the ‘aaa authorization command <list>’ configuration is applied, it will apply to both SSH and Serial console sessions.
In addition, the command ‘auto-enable’ option for the command ‘aaa authorization exec authentication-server auto-enable’ does not apply to the Serial console session (apparently, by design). As such, after authenticating to the Serial console, you must use the ‘enable’ command to gain priv15 access. This compounds the issue because the username associated with the Serial console session changes to ‘enable_15’.
This means that command authorization against the TACACS server will fail because the user ‘enable_15’ is not in the external ID store.
I did some testing in my lab and found the following way to work around this.

  1. In ISE, create an internal user called ‘enable_15’. Set a strong password (the password will not actually be used.
  2. Create a new Identity Source Sequence (Eg. ‘AD_LOCAL’) that uses both your AD followed by Internal User. Make sure the ‘Treat as if the user was not found…’ radio button is selected.
  3. Update the Authentication Policy for your ASA Policy Set to use this new ISS (AD_LOCAL).
  4. Create a new AuthZ Policy (Eg. above the default with a matching Condition of ‘Internal User Name EQUALS enable_15’ and the same Command Set and Shell Profile used for Priv 15 access.

This configuration will allow you to configure either ‘LOCAL’ or ‘TACACS+ LOCAL’ aaa authentication on the Serial console as well as the ‘aaa authorization command TACACS+ LOCAL’

 

There is an additional caveat of which you should be aware for the scenario when the ASA loses connectivity to the TACACS+ servers...
With the ‘aaa authorization command’ configured for either ‘LOCAL’ or ‘TACACS+ LOCAL’, there is a similar issue with command authorization on the serial console after issuing the ‘enable’ command to escalate to priv15 since, as mentioned above, the username changes to ‘enable_15’ (see the output from ‘show curpriv’).
Similar to the above scenario with an ‘enable_15’ internal user on ISE, you can work around this by creating a local ‘enable_15’ user on the ASA with the ‘nopassword’ option.

 

Example:
username enable_15 nopassword privilege 15

 

Cheers,

Greg