06-17-2008 01:26 AM - edited 03-10-2019 03:54 PM
Here is the problem I am experiencing and I hope someone out there is able to help;
I have a ASA5510 (running software Version 8.0(3)). I have enabled remote authentication to our company's TACAC server (which is running TACAC open source supplied by Cisco).
The problem is as follows;
I can telnet to the appliance remote and using my username and password (configured on the TACAC server) I am authenticated. But after entering enable - I am prompted with the password prompt. But I can not get pass this prompt. I have tried the same password as I previous enter at the telnet prompt and failed, the local enable password fails as well. Any suggestion.
aaa-server (server_name) protocol tacacs+
aaa-server (server_name) (interlinkport) host (Address)
key (password)
aaa authentication enable console (server_name) LOCAL
aaa authentication enable console (server_name) LOCAL
aaa authentication http console (server_name) LOCAL
aaa authentication serial console (server_name) LOCAL
aaa authentication ssh console (server_name) LOCAL
aaa authentication telnet console (server_name) LOCAL
aaa accounting command privilege 15 (server_name)
aaa authorization exec authentication-server
06-17-2008 02:33 AM
telnet password = passwd command
enable password = enable command
Try one thing, either remove
aaa authentication enable console (server_name) LOCAL
or change it to:
aaa authentication enable console LOCAL
Then try putting the 'local' enable password at the password prompt.
Regards
Farrukh
06-17-2008 03:20 AM
Farrukh - Sorry I should have mention this earlier that I had excuted your recommendation and it does work. But I don't want our engineering team having to referr to paper work for the enbale password.
That is why I want want the enable password to be authenticated by the TACAC.
I believe that the problem is with the parameter on the TACAC server. But I do not know all the syntexts that need to be entered.
I beleive that there must be an additional parameter for the enable privilege.
06-17-2008 03:43 AM
Yes I just wanted to double check and rule out every thing else. Which AAA server are you using?
Regards
Farrukh
06-17-2008 04:19 AM
My management team informs me that it is open source TACAC supplied by Cisco. I am not sure want version and I am unable to findf out until tomorrow as it is 10:30pm local time.
Wha other info would you like?
06-17-2008 04:26 AM
I'm assuming they are talking about 'free tacacs', a sample configuration file can be found at the end of this link:
http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800946a3.shtml
Regards
Farrukh
06-17-2008 04:20 PM
Farrukh, that is correct we are (stancred and I) using the 'free tacacs' as you suggested.
Group Definitions:
group = engineer {
default service = permit
service = exec {
# logout after n mins idle
idletime = 15
# grant access level 15
priv-lvl=15
}
}
And User definitions:
user =
login = cleartext
member = engineer
}
06-17-2008 05:43 PM
Do you have this at the top of your file, as per the cisco.com link I sent earlier?
# Enable password setup for everyone:
user = $enable$ {
login = cleartext "cisco"
}
Please note there is slight difference between the PIX and IOS routers, the privilege level feature was never properly implemented in PIX firewalls. So you might need to setup an enable password as above.
Regards
Farrukh
06-17-2008 04:38 AM
I will try this tomorrow . Just so you know the same username and password work on cisco routers. I have no trouble in telneting and accessing the enable mode.
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
aaa authorization commands 1 default group tacacs+ local
aaa authorization commands 15 default group tacacs+ local
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
!
06-17-2008 05:07 AM
You arent authenticating the enable password via AAA.
That would require a:
aaa authentication enable ....
Regards
Farrukh
06-17-2008 11:35 AM
With respect to your comments:
"I believe that the problem is with the parameter on the TACAC server. But I do not know all the syntexts that need to be entered.
I beleive that there must be an additional parameter for the enable privilege."
... I understand you are NOT using Cisco Secure ACS, however, the following requirement may exist in your scenario as well:
When configuring enable authentication on a CSACS, you would need to specify "Max Privilege" (i.e.: Level 15) in the "TACACS+ Enable Control" section of "Advanced TACACS+ Settings" for the User's account.
When the AAA Client sends an authentication request to the TACACS server, the "Privilege Level" AV pair is specified. I would expect this criteria to be compared to the user's configuration (i.e.: Max Privilege).
06-17-2008 05:54 PM
I think I can help you here since I've been using Cisco
Freeware TACACS+ for almost 7 years now. I am not
an expert, just enough to be dangerous.
Since the code is open-source, each company uses
differently; however, there is one thing that will
always true. That would be the the enable.c file,
which is a C program. You would need to modify
this file so that EVERYONE can have his/her own
enable password, just like Cisco ACS running on
Windows platforms.
the configuration file would look something like this:
accounting file = /var/log/tac_plus.log
key = zFgGkIooIsZ.Q
user = cciesec {
member = admin
name = "ccie security"
login = cleartext "cciesec"
}
user = $cciesec$ {
member = admin
name = "ccie security"
login = cleartext "cciesec1"
}
group = admin {
default service = permit
}
On the Pix:
aaa-server NEO protocol tacacs+
aaa-server NEO (outside) host 192.168.15.10
timeout 5
key cciesec
aaa authentication ssh console NEO LOCAL
aaa authentication enable console NEO LOCAL
Here is the login sequence:
[root@dca2-LinuxES root]# ssh -l cciesec 192.168.0.25
The authenticity of host '192.168.0.25 (192.168.0.25)' can't be established.
RSA key fingerprint is c2:48:15:85:92:7f:56:15:a8:0f:80:d9:88:50:fd:1c.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.0.25' (RSA) to the list of known hosts.
cciesec@192.168.0.25's password:
Type help or '?' for a list of available commands.
CiscoPix> en
Password: ********
CiscoPix#
In other words, my initial password is "cciesec" and my enable password
is "cciesec1". Another user "tom" will have his own login and enable
password.
Simple enough?
06-17-2008 08:22 PM
Hi cisco24x7
Looking at the enable.c file as suggested, I can see the section for $enable$ or $enab15$ - I assume this is where you are referencing when you mention that we would need to add each user (ie to be tested within the code).
Stupid question - I assume that I would need to have to compile this code once modifications have been made? And as such this is not able to be dynamically updated?
Our environment will not allow for a 'default' enable password across all devices. At most we could specify a default per 'group' of devices (ie per Customer).
Farrukh - As suggested the below config works - however as per my above post it is not acceptable to have a default enable password across all devices (or all pix's)
# Enable password setup for everyone:
user = $enable$ {
login = cleartext "cisco"
}
Thanks
Kylie
06-18-2008 12:10 AM
Then you need to go with the solution present by Cisco24X7. You mind find compiling help at the link I posted earlier.
Regards
Farrukh
06-18-2008 03:02 AM
My solution allows everyone to have both his/her own unique
exec and enable password. NO PASSWORD SHARING, just like
Cisco ACS. With Freeware TACACS+, you have ACL in the
configuration to block certain users from accessing certain
devices. In other words, you can do just about whatever
you want.
Last but not least, everytime you make change in the
configuration, you have to restart the tac_plus. That's really
easy. I have multiple tacacs servers and I only make changes
to the master tacacs server configuration files. Since mine
is running on Linux, I can do "service tac_plus restart" or
set a cron job to run every 4 hours to restart the tac_plus
service. The restart takes about 2 seconds. Furthermore,
I also setup another cron to copy the master file over
to other tacacs servers as well, via Secure Copy, very
secure. That way I can achieve redudancies in case my primary
tacacs server goes down, which is very unlikely (This is
NOT a windows environment). The best thing is that
all of this is FREE.
One more thing, you can compile the code to use
One-time Password In Everything (OPIE) as well. Think of
it like two-factor authentication. In this day and age,
sharing enable password is a security violation, IMHO
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide