cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2684
Views
10
Helpful
6
Replies
jkuehl
Beginner

ASA 5525X AAA login to EXEC mode through ISE

I am using ISE 2.0 and have created a Policy to login to our ASA 5525X running ver 9.5.2 using SSH.

I can login into the ASA to user exec mode, then use enable and type on my password again to get into priv exec mode.

I would like to type in one username and password to get into priv exec mode directly.

This is what I have on our ASA

aaa-server vpnISE protocol radius
 authorize-only
 dynamic-authorization
aaa-server vpnISE (inside) host IP ADDRESS
 key *****

aaa-server vpnISE protocol radius
aaa-server vpnISE (inside) host IP ADDRESS
aaa authentication serial console LOCAL
aaa authentication ssh console vpnISE LOCAL
aaa authentication http console LOCAL
aaa authentication enable console vpnISE LOCAL

aaa authorization exec authentication-server auto-enable

I have a Authorization Profile

ASA_Access

Access Type = ACCESS_ACCEPT
cisco-av-pair = shell:priv-lvl=15

The authentication policy is PAP_ASCII for AD and Local

The authorization policy:

nas-port-type: Virtual

network access protocol: Radius

When i attempt to login with this setup it says that password authentication failed.  When i check the Logs i am seeing that i my authentication succeeded. 

Am I need to change my attributes to something else to make this work.

1 ACCEPTED SOLUTION

Accepted Solutions

Two questions:

1. Have you confirmed that the appropriate rule is now being hit in ISE

2. Are you sending back the correct RADIUS attribute? For ASAs you need to return back:

Radius:Service-Type = Administrative

Thank you for rating helpful posts!

View solution in original post

6 REPLIES 6
nspasov
Cisco Employee

I have this working fine with my 5506 and ISE. The configs look correct too. When do you get the "password authentication failed" ? Also, can you post some debugs from radius and aaa

Thank you for rating helpful posts!

when i try and log in the Policy that is being hit is my VPN policy.

This is new after i have completely redone my VPN connection with ISE.

I am working on trying to sort out the Authorization rule now to separate the two.

After moving the Auth rule higher i am able to get the following from debug.

Dec 16 2015 10:52:21 10.10.200.254 : %ASA-6-113004: AAA user authentication Successful : server =  10.10.20.56 : user = jasonkuehl
Dec 16 2015 10:52:21 10.10.200.254 : %ASA-6-113008: AAA transaction status ACCEPT : user = jasonkuehl
Dec 16 2015 10:52:21 10.10.200.254 : %ASA-3-113021: Attempted console login failed user 'jasonkuehl' did NOT have appropriate Admin Rights.
Dec 16 2015 10:52:21 10.10.200.254 : %ASA-6-611102: User authentication failed: IP address: 10.70.24.55, Uname: *****

Two questions:

1. Have you confirmed that the appropriate rule is now being hit in ISE

2. Are you sending back the correct RADIUS attribute? For ASAs you need to return back:

Radius:Service-Type = Administrative

Thank you for rating helpful posts!

View solution in original post

I was not use that Radius attribute.  I was still using cisco-av-pair = shell:priv-lvl=15.

I have changed to this attribute and everything is working correctly.

Hi Nspasov,

I have the same issue when accessing ASA as admin, i always have to type the enable password to go to exec-mode #
But looking to jkuel config i see he is using Radius and not TACACs for admin access.
Can you please advise how to fix this using TACACS?
Content for Community-Ad