cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
17321
Views
5
Helpful
12
Replies

ACS - ASA Authorization and Accounting

eng.malak
Level 1
Level 1

Hi

I have some questions regarding authorization and accounting on ASA via ACS server

    1. when I enable the command "aaa authorization       command " to control SSH users commands  I get locked out on       console then i have to configure the console , telnet , and enable to be       authenticated via tacacs too , is there any way to authorize SSH via       tacacs while keeping Console and telnet authenticated locally or even no       authentication ?
    2. i issued  accounting command "aaa accounting       command TAC" on ASA but i noticed that the ACS just logs commands in       configuration mod "privilege 15 " not any show command or       privilege 1 , is there any way to fix this ?
    3. does RADIUS support SHELL authorization ?

thanks for your support

2 Accepted Solutions

Accepted Solutions

Jatin Katyal
Cisco Employee
Cisco Employee

1.] Unfortunately, there currently isn't any way to exclude command authorization from the  serial/ console or ssh users while having it apply to other access methods in case of ASA. Once you issue this command, it would be applicable for ALL methods like ssh,telnet,enable,http and console. This can be easily achieved in IOS (routers and switches) by creating a method list.

2.] When you configure the aaa accounting command command, each command other than  show commands entered by an administrator is recorded and sent to the accounting server or servers. This is a default behaviour on ASA. IOS does send/record all show commands on ACS/Tacacs.

http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a1.html

Regards,

Jatin

Do rate helpful posts-

~Jatin

View solution in original post

Omdatta pawar
Level 1
Level 1

When you login on the device using console , the console user is "enable_15", if your console is lock due to authorization. Create user "enable_15" on ACS server with level 15 access. Also create a eanable_15 as local user too. This is way u will be able to access the device through console, no matter ACS is availabel or not.

View solution in original post

12 Replies 12

Amjad Abdullah
VIP Alumni
VIP Alumni

Hi,

1-)

You allow your username (or your group) full access in authorization in ACS server. Then you can fully configure your device. After finishing the device you can restrict access back to same user or group.

Do not use the comand "aaa authorization console".

Make sure that the configuration under the "line console 0" is no configured for AAA.

2-)

make sure to configure all levels for accounting.

aaa cccounting comands 0 start-stop group

aaa cccounting comands 1 start-stop group

aaa cccounting comands 15 start-stop group

I think so far you only applied level 15.

3-)

RADIUS does not support shell authorization. This is only supported via TACACS+.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

Thanks Amjad for your reply

regarding point 1&2 i meant the authorization and accounting on the ASA not the IOS , thanks for point 3

Yup I understand it is on ASA. I never worked with ASA but I think they are almost the same from command line and you can access console and vty lines, no?

Rating useful replies is more useful than saying "Thank you"

Unfortunately no , authorization is totally diffrent on ASA .

Sorry for that.

Looking for the config guides I found that you may locally in ASA apply authorization levels to the users authenticating via local DB or via radius!

Here is the link. I hope you find it useful:  http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/mgaccess.html#wp1072168

Provide necessary level to the user you are logging with so that enablign authorization still authorize you with the commands you need.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"

hey eng.malak, 

were the steps above by creating a locallly user on the asa solved the problem? I have the same problem. havent tried yet, but I will do it on Monday.

Jatin Katyal
Cisco Employee
Cisco Employee

1.] Unfortunately, there currently isn't any way to exclude command authorization from the  serial/ console or ssh users while having it apply to other access methods in case of ASA. Once you issue this command, it would be applicable for ALL methods like ssh,telnet,enable,http and console. This can be easily achieved in IOS (routers and switches) by creating a method list.

2.] When you configure the aaa accounting command command, each command other than  show commands entered by an administrator is recorded and sent to the accounting server or servers. This is a default behaviour on ASA. IOS does send/record all show commands on ACS/Tacacs.

http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a1.html

Regards,

Jatin

Do rate helpful posts-

~Jatin

hi

i configure the ASA as below but still ACS doesn't log for priv.1 commands m any idea ?

aaa authentication telnet console TAC

aaa authentication serial console TAC

aaa authentication enable console TAC

aaa authorization command TAC

aaa accounting telnet console TAC

aaa accounting command TAC

aaa accounting enable console TAC

aaa authorization exec authentication-server

create user on ASA with level 15 access, by default ASA create user with level 7 access.

And apply a below command on ASA

aaa-server TAC protocol tacacs+

aaa-server TAC (outside) host

aaa-server TAC (outside) host

aaa authentication ssh console TAC LOCAL

aaa authentication enable console TAC LOCAL

aaa authentication http console TAC LOCAL

aaa authorization command TAC LOCAL

aaa accounting ssh console TAC

aaa accounting enable console TAC

aaa accounting command TAC

i'm sure that i'm useing priv.15 user as below

ASA1# sh curpriv

Username : fwuser1

Current privilege level : 15

Current Mode/s : P_PRIV

ASA1#

but unfortunately still not working

user  "fwuser1" is tacacs or local user?

Check is tacacs rechable?

Omdatta pawar
Level 1
Level 1

When you login on the device using console , the console user is "enable_15", if your console is lock due to authorization. Create user "enable_15" on ACS server with level 15 access. Also create a eanable_15 as local user too. This is way u will be able to access the device through console, no matter ACS is availabel or not.