12-09-2015 11:00 AM - edited 03-10-2019 11:18 PM
I am using ISE 2.0 and have created a Policy to login to our ASA 5525X running ver 9.5.2 using SSH.
I can login into the ASA to user exec mode, then use enable and type on my password again to get into priv exec mode.
I would like to type in one username and password to get into priv exec mode directly.
This is what I have on our ASA
aaa-server vpnISE protocol radius
authorize-only
dynamic-authorization
aaa-server vpnISE (inside) host IP ADDRESS
key *****
aaa-server vpnISE protocol radius
aaa-server vpnISE (inside) host IP ADDRESS
aaa authentication serial console LOCAL
aaa authentication ssh console vpnISE LOCAL
aaa authentication http console LOCAL
aaa authentication enable console vpnISE LOCAL
aaa authorization exec authentication-server auto-enable
I have a Authorization Profile
ASA_Access
Access Type = ACCESS_ACCEPT
cisco-av-pair = shell:priv-lvl=15
The authentication policy is PAP_ASCII for AD and Local
The authorization policy:
nas-port-type: Virtual
network access protocol: Radius
When i attempt to login with this setup it says that password authentication failed. When i check the Logs i am seeing that i my authentication succeeded.
Am I need to change my attributes to something else to make this work.
Solved! Go to Solution.
12-16-2015 08:45 PM
Two questions:
1. Have you confirmed that the appropriate rule is now being hit in ISE
2. Are you sending back the correct RADIUS attribute? For ASAs you need to return back:
Radius:Service-Type = Administrative
Thank you for rating helpful posts!
12-15-2015 01:42 PM
I have this working fine with my 5506 and ISE. The configs look correct too. When do you get the "password authentication failed" ? Also, can you post some debugs from radius and aaa
Thank you for rating helpful posts!
12-16-2015 08:44 AM
12-16-2015 08:58 AM
After moving the Auth rule higher i am able to get the following from debug.
Dec 16 2015 10:52:21 10.10.200.254 : %ASA-6-113004: AAA user authentication Successful : server = 10.10.20.56 : user = jasonkuehl
Dec 16 2015 10:52:21 10.10.200.254 : %ASA-6-113008: AAA transaction status ACCEPT : user = jasonkuehl
Dec 16 2015 10:52:21 10.10.200.254 : %ASA-3-113021: Attempted console login failed user 'jasonkuehl' did NOT have appropriate Admin Rights.
Dec 16 2015 10:52:21 10.10.200.254 : %ASA-6-611102: User authentication failed: IP address: 10.70.24.55, Uname: *****
12-16-2015 08:45 PM
Two questions:
1. Have you confirmed that the appropriate rule is now being hit in ISE
2. Are you sending back the correct RADIUS attribute? For ASAs you need to return back:
Radius:Service-Type = Administrative
Thank you for rating helpful posts!
12-17-2015 07:33 AM
I was not use that Radius attribute. I was still using cisco-av-pair = shell:priv-lvl=15.
I have changed to this attribute and everything is working correctly.
03-07-2019 04:14 AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide