06-25-2012 03:02 PM - edited 03-10-2019 07:14 PM
Hi
I have some questions regarding authorization and accounting on ASA via ACS server
thanks for your support
Solved! Go to Solution.
06-26-2012 05:07 AM
1.] Unfortunately, there currently isn't any way to exclude command authorization from the serial/ console or ssh users while having it apply to other access methods in case of ASA. Once you issue this command, it would be applicable for ALL methods like ssh,telnet,enable,http and console. This can be easily achieved in IOS (routers and switches) by creating a method list.
2.] When you configure the aaa accounting command command, each command other than show commands entered by an administrator is recorded and sent to the accounting server or servers. This is a default behaviour on ASA. IOS does send/record all show commands on ACS/Tacacs.
http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a1.html
Regards,
Jatin
Do rate helpful posts-
07-29-2012 11:28 PM
When you login on the device using console , the console user is "enable_15", if your console is lock due to authorization. Create user "enable_15" on ACS server with level 15 access. Also create a eanable_15 as local user too. This is way u will be able to access the device through console, no matter ACS is availabel or not.
06-25-2012 11:36 PM
Hi,
1-)
You allow your username (or your group) full access in authorization in ACS server. Then you can fully configure your device. After finishing the device you can restrict access back to same user or group.
Do not use the comand "aaa authorization console".
Make sure that the configuration under the "line console 0" is no configured for AAA.
2-)
make sure to configure all levels for accounting.
aaa cccounting comands 0
aaa cccounting comands 1
aaa cccounting comands 15
I think so far you only applied level 15.
3-)
RADIUS does not support shell authorization. This is only supported via TACACS+.
HTH
Amjad
06-25-2012 11:44 PM
Thanks Amjad for your reply
regarding point 1&2 i meant the authorization and accounting on the ASA not the IOS , thanks for point 3
06-25-2012 11:54 PM
Yup I understand it is on ASA. I never worked with ASA but I think they are almost the same from command line and you can access console and vty lines, no?
06-25-2012 11:59 PM
Unfortunately no , authorization is totally diffrent on ASA .
06-26-2012 12:17 AM
Sorry for that.
Looking for the config guides I found that you may locally in ASA apply authorization levels to the users authenticating via local DB or via radius!
Here is the link. I hope you find it useful: http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/mgaccess.html#wp1072168
Provide necessary level to the user you are logging with so that enablign authorization still authorize you with the commands you need.
HTH
Amjad
04-01-2017 05:07 PM
hey eng.malak,
were the steps above by creating a locallly user on the asa solved the problem? I have the same problem. havent tried yet, but I will do it on Monday.
06-26-2012 05:07 AM
1.] Unfortunately, there currently isn't any way to exclude command authorization from the serial/ console or ssh users while having it apply to other access methods in case of ASA. Once you issue this command, it would be applicable for ALL methods like ssh,telnet,enable,http and console. This can be easily achieved in IOS (routers and switches) by creating a method list.
2.] When you configure the aaa accounting command command, each command other than show commands entered by an administrator is recorded and sent to the accounting server or servers. This is a default behaviour on ASA. IOS does send/record all show commands on ACS/Tacacs.
http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a1.html
Regards,
Jatin
Do rate helpful posts-
10-10-2012 04:07 AM
hi
i configure the ASA as below but still ACS doesn't log for priv.1 commands m any idea ?
aaa authentication telnet console TAC
aaa authentication serial console TAC
aaa authentication enable console TAC
aaa authorization command TAC
aaa accounting telnet console TAC
aaa accounting command TAC
aaa accounting enable console TAC
aaa authorization exec authentication-server
10-10-2012 04:31 AM
create user on ASA with level 15 access, by default ASA create user with level 7 access.
And apply a below command on ASA
aaa-server TAC protocol tacacs+
aaa-server TAC (outside) host
aaa-server TAC (outside) host
aaa authentication ssh console TAC LOCAL
aaa authentication enable console TAC LOCAL
aaa authentication http console TAC LOCAL
aaa authorization command TAC LOCAL
aaa accounting ssh console TAC
aaa accounting enable console TAC
aaa accounting command TAC
10-10-2012 04:42 AM
i'm sure that i'm useing priv.15 user as below
ASA1# sh curpriv
Username : fwuser1
Current privilege level : 15
Current Mode/s : P_PRIV
ASA1#
but unfortunately still not working
10-10-2012 04:53 AM
user "fwuser1" is tacacs or local user?
Check is tacacs rechable?
07-29-2012 11:28 PM
When you login on the device using console , the console user is "enable_15", if your console is lock due to authorization. Create user "enable_15" on ACS server with level 15 access. Also create a eanable_15 as local user too. This is way u will be able to access the device through console, no matter ACS is availabel or not.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide