05-13-2015 06:11 AM - edited 03-12-2019 05:45 PM
Hello!
I am currently using the open source TACACS+ server called "tac_plus" for Linux distributions. I have configured the configuration file correctly, I am able to log into ASDM using the one of the account's credentials created without an issue with a privilege level of 15. The other account in the file has a privilege level of 5, when I login using those credentials the privilege level is also level 15. How can I configure my ASA to reflect the correct privilege level in the tac_plus configuration file? The following is my ASA configuration:
ASA Version 9.1(2) ! hostname TACTESTASA enable password 2KFQnbNIdI.2KYOU encrypted passwd 2KFQnbNIdI.2KYOU encrypted names ! interface GigabitEthernet0/0 nameif Private security-level 100 ip address dhcp setroute ! interface GigabitEthernet0/1 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/2 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/3 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/4 shutdown no nameif no security-level no ip address ! interface GigabitEthernet0/5 shutdown no nameif no security-level no ip address ! interface Management0/0 management-only nameif Management security-level 0 ip address 192.168.1.1 255.255.255.0 ! ftp mode passive object-group protocol DM_INLINE_PROTOCOL_1 protocol-object ip protocol-object icmp object-group protocol DM_INLINE_PROTOCOL_2 protocol-object ip protocol-object icmp access-list Private_access_in extended permit ip any any access-list Private_access_in extended permit object-group DM_INLINE_PROTOCOL_1 any any access-list global_access extended permit object-group DM_INLINE_PROTOCOL_2 any any pager lines 24 logging enable logging asdm informational mtu Private 1500 mtu Management 1500 icmp unreachable rate-limit 1 burst-size 1 no asdm history enable arp timeout 14400 no arp permit-nonconnected access-group Private_access_in in interface Private access-group global_access global timeout xlate 3:00:00 timeout pat-xlate 0:00:30 timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02 timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00 timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00 timeout sip-provisional-media 0:02:00 uauth 0:05:00 absolute timeout tcp-proxy-reassembly 0:01:00 timeout floating-conn 0:00:00 dynamic-access-policy-record DfltAccessPolicy aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ (Private) host 141.254.1.81 key ***** user-identity default-domain LOCAL aaa authentication http console TACACS+ LOCAL aaa authentication ssh console TACACS+ LOCAL aaa accounting enable console TACACS+ aaa accounting serial console TACACS+ aaa accounting ssh console TACACS+ aaa accounting telnet console TACACS+ aaa accounting command TACACS+ http server enable http 0.0.0.0 0.0.0.0 Management http 0.0.0.0 0.0.0.0 Private no snmp-server location no snmp-server contact snmp-server enable traps snmp authentication linkup linkdown coldstart warmstart crypto ipsec security-association pmtu-aging infinite crypto ca trustpool policy telnet timeout 5 ssh 141.254.69.0 255.255.255.0 Private ssh timeout 5 ssh key-exchange group dh-group1-sha1 console timeout 0 dhcp-client client-id interface Private threat-detection basic-threat threat-detection statistics access-list no threat-detection statistics tcp-intercept ssl encryption aes128-sha1 3des-sha1 username test password P4ttSyrm33SV8TYp encrypted privilege 15 username admin password eY/fQXw7Ure8Qrz7 encrypted privilege 15 username netopns password rgNS3pxkpx9OSJMI encrypted ! ! prompt hostname context no call-home reporting anonymous call-home profile CiscoTAC-1 no active destination address http https://tools.cisco.com/its/service/oddce/services/DDCEService destination address email callhome@cisco.com destination transport-method http subscribe-to-alert-group diagnostic subscribe-to-alert-group environment subscribe-to-alert-group inventory periodic monthly 5 subscribe-to-alert-group configuration periodic monthly 5 subscribe-to-alert-group telemetry periodic daily Cryptochecksum:b7c3663328a68bae62d7693a14664509 : end
tac_plus configuration is as follows:
# ENCYPTION KEY accounting file = /var/log/tac_plus.acct key = cisco # * * * * * * * * * * * * * * * * * * * * * * * * * * * * * # * GROUPS * # * * * * * * * * * * * * * * * * * * * * * * * * * * * * * group = admin { default service = permit service = exec { priv-lvl = 15 } } group = NETOPS { default service = permit service = exec { priv-lvl = 15 } } group = LAN_SERVICES_EXEC { default service = permit service = exec { priv-lvl = 15 } } group = LAN_SERVICES { default service = permit service = exec { priv-lvl = 5 } } group = SERVICE_ACCOUNTS { default service = permit service = exec { priv-lvl = 15 } } # * * * * * * * * * * * * * * * * * * * * * * * * * * * * * # * USERS * # * * * * * * * * * * * * * * * * * * * * * * * * * * * * * # * * * * * * * * * * * * * * * * * * * * * # * Test Users * # * * * * * * * * * * * * * * * * * * * * * user = tester { member = admin login = des dxhK2jj6hRKzc } # * * * * * * * * * * * * * * * * * * * * * # * LAN Services Users * # * * * * * * * * * * * * * * * * * * * * * user = User1 { member = LAN_SERVICES_EXEC login = des 0ckqZkWPnQs7M } user = User2 { member = LAN_SERVICES login = des wi/dh6RXNkaYU cmd = show { permit .* } } # * * * * * * * * * * * * * * * * * * * * * # * Service Account Users * # * * * * * * * * * * * * * * * * * * * * * user = Admin{ member = SERVICE_ACCOUNTS login = des 4AXsNOYop30Mw }
Any help would be appreciated, please let me know if you need more information.
05-13-2015 08:59 AM
I'm also experiencing same issue but I use ACS 5.5 I already troubleshoot everything but no luck. I hope I can get some answers here. :(
05-26-2015 05:09 AM
*Bump* Anybody have any information on how to go about solving this issue?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide