10-14-2008 10:16 AM - edited 03-10-2019 04:08 PM
Hi All,
I had configured tacacs on ASA but the problem is when i m trying to telnet it it authenticates me with my username & password on ACS but i cant move onto privilege level 15 as configured on ACS. Its asking me for enable password n not taking the password that is on ACS. I have used Shell Authorization for privilege 15. The configuration done on ASA is:
name 172.30.xx.xx ACS-1
name 172.30.yy.yy ACS-2
aaa-server tacacs+ protocol tacacs+
aaa-server tacacs+ host ACS-1
key cisco
aaa-server tacacs+ host ACS-2
key cisco
aaa authentication telnet console tacacs+ LOCAL
aaa authentication telnet console tacacs+ tacacs+
aaa authentication ssh console tacacs+ LOCAL
aaa authentication enable console tacacs+ LOCAL
enable password V3VzjwYzTRfTLwOb encrypted
enable password V3VzjwYzTRfTLwOb encrypted
username piyush password vkCzRtKCaNG.HI6s encrypted privilege 15
username ideanoc password S0qrUlXOHFcX7LCw encrypted privilege 15
Even added my username & password in local database on ASA as on ACS. Still no progress....
Can any one give his suggestion on the same.
Regards,
Piyush
Solved! Go to Solution.
10-14-2008 01:31 PM
I'm not asking for shell priv level 15 but enable privilege. That should be set to 15 in acs--->user set up ----> enable options---> Max Privilege for any AAA Client-->15
10-14-2008 11:09 AM
Piyush,
ASA do not support exec authorization so you will not fall directly in enable mode the way we do on routers/switches.
http://www.ciscotaccc.com/security/showcase?case=K25224726
But it should let you in using enable password. In acs user set up make sure you have enable password defined and you are using that password.
user set up Edit --->TACACS+ Enable Password and choose option as per your need.
Regards,
~JG
Do rate helpful posts
10-14-2008 12:32 PM
tried doing the same but that also doesnt helps.
Do i need to give:
aaa accounting command privilege 15 tacacs+
to make it privelege 15
10-14-2008 12:55 PM
No that command is for accounting.
Make sure you have Max Privilege for any AAA Client is set to 15 in acs group setup.
Do we get any error in failed attempts
Regards,
~JG
Do rate helpful posts
10-14-2008 01:22 PM
ya all that is done level 15 is set in Shell (exec) in group setup & also in Shell Command Authorization Set provided full access...
N i cant find any logs in failed attempts, but can see authentication passed in passed authentication logs..
The link which you had posted is for IOS ver 7.x but i m using 8.0(3)
Regards,
Piyush
10-14-2008 01:25 PM
what i m getting on telnet is:
User Access Verification
Username: piyush
Password: **********
Type help or '?' for a list of available commands.
ICL-PUN-PRIDC1-MPLS-5550ASA1> en
Password: **********
Password: **********
Password: **********
Access denied.
ICL-PUN-PRIDC1-MPLS-5550ASA1>
ICL-PUN-PRIDC1-MPLS-5550ASA1>
this might give you some idea.
10-14-2008 01:31 PM
I'm not asking for shell priv level 15 but enable privilege. That should be set to 15 in acs--->user set up ----> enable options---> Max Privilege for any AAA Client-->15
10-14-2008 01:46 PM
oh got that.... n that worked man... thanks a lot.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide