Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2352
Views
0
Helpful
3
Replies

aaa authentication enable console issue

josrankin
Level 1
Level 1

‎11-07-2012 10:23 AM - edited ‎03-10-2019 07:45 PM

I have an ASA5505 running 8.2(5). It is configured with

aaa authentication telnet console xxxxxx LOCAL

and I am able to use my username and password to telnet in, but I then have to use the local enable password to get to privilege exec mode.

I tried configuring aaa authentication enable console xxxxxx LOCAL so that when I try to access privilege exec mode,I would be prompted for my password instead of the enable password, but it doesn't work.

I also tried removing the aaa authentication telnet console xxxxxx LOCAL and telenetted in with the local passwd.

I was prompted for a username and password when trying to get to priv exec mode, but again, the credentials did not work.

Could there be something that needs to be changed on the ACS server to make this work?

Thanks.

Labels:
0 Helpful
3 Replies 3

nspasov
Cisco Employee
Cisco Employee

‎11-07-2012 09:49 PM

Hello-

What protocol are you using: Radius or TACACS+

Are you pusing any command authorization rules

Can you post a snip-it of your config

Once you authenticate, have you tried to use "login" vs "enable"

Thank you for rating!

0 Helpful

josrankin
Level 1
Level 1
In response to nspasov

‎11-07-2012 10:49 PM

Using TACACS+

No command authorization rules are being used

When I add the aaa authentication enable console xxxxxxxx LOCAL command,

and use login instead of enable, I get Login failed if I try to use my credentials.

However, if I use login with the locally configured username and password, it lets me in.

Here is the config (without the aaa authentication enable console command):

User Access Verification

Username: xxx/xxxxxxxxxx

Password: ************

Type help or '?' for a list of available commands.

FW> en

Password: ********

FW# sh ru

: Saved

:

ASA Version 8.2(5)

!

terminal width 511

hostname xxxxxxxx

enable password *********** encrypted

passwd *********** encrypted

names

!

interface Ethernet0/0

switchport access vlan xxx

!

interface Ethernet0/1

switchport access vlan xxx

shutdown

!

interface Ethernet0/2

switchport access vlan xxx

!

interface Ethernet0/3

!

interface Ethernet0/4

!

interface Ethernet0/5

!

interface Ethernet0/6

!

interface Ethernet0/7

!

interface Vlanxxx

nameif inside

security-level 100

ip address x.x.x.x x.x.x.x

!

interface Vlanxxx

nameif OUtside

security-level 0

ip address x.x.x.x x.x.x.x

!

ftp mode passive

same-security-traffic permit intra-interface

object-group protocol TCPUDP

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_1

protocol-object udp

protocol-object tcp

group-object TCPUDP

object-group protocol DM_INLINE_PROTOCOL_2

protocol-object udp

protocol-object tcp

group-object TCPUDP

object-group protocol DM_INLINE_PROTOCOL_3

protocol-object ip

protocol-object udp

protocol-object tcp

object-group protocol DM_INLINE_PROTOCOL_4

protocol-object ip

protocol-object udp

protocol-object tcp

access-list Outside_access_in extended permit ip any any

access-list inside_access_in extended permit icmp any any

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_1 a

ny any inactive

access-list inside_access_in extended permit object-group DM_INLINE_PROTOCOL_4 a

ny any

access-list OUtside_access_in extended permit object-group DM_INLINE_PROTOCOL_1

any any inactive

access-list OUtside_access_in extended permit icmp any any

access-list OUtside_access_in extended permit object-group DM_INLINE_PROTOCOL_3

any any

pager lines 24

logging enable

logging asdm informational

logging host inside x.x.x.x

mtu inside 1500

mtu OUtside 1500

icmp unreachable rate-limit 1 burst-size 1

no asdm history enable

arp timeout 14400

access-group inside_access_in in interface inside

access-group OUtside_access_in in interface OUtside

route inside 0.0.0.0 0.0.0.0 x.x.x.x 1

timeout xlate 3:00:00

timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02

timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00

timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00

timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute

timeout tcp-proxy-reassembly 0:01:00

timeout floating-conn 0:00:00

dynamic-access-policy-record DfltAccessPolicy

aaa-server xxxxxxxxx protocol tacacs+

aaa-server xxxxxxxxx (inside) host x.x.x.x

key *****

aaa-server xxxxxxxxx (inside) host x.x.x.x

key *****

aaa-server xxxxxxxxx (inside) host x.x.x.x

key *****

aaa authentication http console ******* LOCAL

aaa authentication ssh console ******* LOCAL

aaa authentication telnet console ******* LOCAL

aaa local authentication attempts max-fail 5

http server enable

http x.x.x.x x.x.x.x inside

http x.x.x.x x.x.x.x inside

snmp-server host inside x.x.x.x community ***** version 2c

snmp-server host OUtside x.x.x.x community ***** version 2c

snmp-server host inside x.x.x.x community ***** version 2c

no snmp-server location

no snmp-server contact

snmp-server community *****

snmp-server enable traps snmp authentication linkup linkdown coldstart

crypto ipsec security-association lifetime seconds 28800

crypto ipsec security-association lifetime kilobytes 4608000

telnet x.x.x.x x.x.x.x inside

telnet x.x.x.x x.x.x.x inside

telnet timeout 5

ssh timeout 5

console timeout 0

dhcpd auto_config OUtside

!

threat-detection basic-threat

threat-detection statistics access-list

no threat-detection statistics tcp-intercept

webvpn

username ******* password ************** encrypted privilege 15

username ******* password ************** encrypted privilege 15

username ******* password ************** encrypted privilege 15

!

class-map inspection_default

match default-inspection-traffic

!

!

policy-map type inspect dns preset_dns_map

parameters

  message-length maximum client auto

  message-length maximum 512

policy-map global_policy

class inspection_default

  inspect dns preset_dns_map

  inspect ftp

  inspect h323 h225

  inspect h323 ras

  inspect rsh

  inspect rtsp

  inspect esmtp

  inspect sqlnet

  inspect skinny

  inspect sunrpc

  inspect xdmcp

  inspect sip

  inspect netbios

  inspect tftp

  inspect ip-options

!

service-policy global_policy global

prompt hostname context

no call-home reporting anonymous

Cryptochecksum:

: end

FW#

Thanks.

0 Helpful

nspasov
Cisco Employee
Cisco Employee
In response to josrankin

‎11-09-2012 07:35 PM

OK so since you are able to login with the TACACS credentials that means that you got the authentication peace done properly. Now since you are not able to get to the exec level then that means that the authorization part is not configured properly on either your ASA and/or ACS. A couple more questions:

1. What version of ACS are you using

2. Are you passing privilege level 15 profile from ACS

3. I am not that good with ASAs but I think you need to add some authorization commands to your ASA as well. Try:

aaa authorization command your_server_name/IP

aaa authorization exec authentication-server

0 Helpful
Customers Also Viewed These Support Documents