10-21-2013 08:50 AM - edited 03-10-2019 09:00 PM
Hi,
This is driving me bonkers - so much so that I probably can't see the wood for the trees - can anyone shed any light on this please?
ASA Version: 8.2(5)33
supposed to authenticate to
ACS Version: 5.1.0.44
The ASA AAA config is basic, but it still won't play nicely:
aaa-server TACACS protocol tacacs
aaa-server TACACS (inside) host 10.10.65.10
key ****
aaa-server TACACS (inside) host 172.19.39.250
key ****
aaa authentication serial console LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication http console TACACS
aaa authorization exec authentication-server
aaa-server TACACS protocol tacacs+
aaa-server TACACS (inside) host TACACS_1
aaa-server TACACS (inside) host TACACS_2
name 10.10.65.10 TACACS_1
name 172.19.39.250 TACACS_2
When you login via SSH, you get passed the authentication using AD credentials and are then prompted for the enable password just to get further. But there isn't/shouldn't be one... it should be the same as all other devices, which take you straight to privi level 15 once you get passed the AD creds.
The ACS shows a passed attempt in the Monitoring & Reporting section, but a packet trace shows a drop at Phase 2.
The AAA config and output from packet trace and and "test aaa" are below:
HOSTNAME/pri/act(config)# test aaa-server authentication TACACS username $
Server IP Address or name: 10.10.65.10
INFO: Attempting Authentication test to IP address <TACACS_1> (timeout: 12 seconds)
ERROR: Authentication Server not responding: No error
PACKET TRACE OUTPUT
Phase: 1
Type: ROUTE-LOOKUP
Subtype: input
Result: ALLOW
Config:
Additional Information:
in 0.0.0.0 0.0.0.0 inside
Phase: 2
Type: ACCESS-LIST
Subtype:
Result: DROP
Config:
Implicit Rule
Additional Information:
Result:
input-interface: inside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (acl-drop) Flow is denied by configured rule
HOSTNAME/pri/act(config)# sh run aaa
aaa authentication serial console LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication http console TACACS
aaa authorization exec authentication-server
It has been suggested that the ACS is not correctly setup, but the client confirms it is as all other devices are, although I suspect not...
I need to go back and debug aaa authentication and debug tacacs again, but in the meantime...
Any ideas please?
Thanks
Ali
10-21-2013 01:35 PM
aaa authentication enable console TACACS LOCAL
ASA cannot place you straight into enable mode. You type enable then repeat your personal password to get into enable mode.
aaa authentication enable console tacacs LOCAL |
10-22-2013 02:23 AM
Hi Ali,
What you're seeing is a default behaviour. Users will not land directly to privilege exec on ASA/firewall mode like in IOS. This is by design.
Same discussion can be found here:
https://supportforums.cisco.com/thread/2201512
If you're getting a failed authentication or error in authorization then please make sure:
1.] Are you typing the same password as login password.
2.] We have assigned required privileges under policy elements > shell profile > edit the one you created and get the screen shot.
you may also go to monitoring and troubleshooting and check logs for failed authentication.
~BR
Jatin Katyal
**Do rate helpful posts**
10-22-2013 03:24 AM
Jatin/Peter,
Thanks very much for your input.
I'll go and tweak the required AAA bits (as we were trying different things yesterday) and get back to you.
Thanks again
Ali
10-22-2013 06:54 AM
Sure. Let us know if you need any further inputs to resolve this issue.
~BR
Jatin Katyal
**Do rate helpful posts**
10-22-2013 07:27 AM
Hi Guys,
The client has decided to just stick with local creds while they troubleshoot something else that has cropped up.
I've had no feedback from your suggestions though, as the decision was out of my hands.
Thanks again for your input though guys, much appreciated.
KR
Ali
10-24-2013 09:03 AM
That's fine ali. Let us know if you need any further help.
~BR
Jatin Katyal
**Do rate helpful posts**
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide