Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
922
Views
0
Helpful
6
Replies

ASA AAA to ACS

ali-franks
Level 1
Level 1

‎10-21-2013 08:50 AM - edited ‎03-10-2019 09:00 PM

Hi,

This is driving me bonkers - so much so that I probably can't see the wood for the trees - can anyone shed any light on this please?

ASA Version: 8.2(5)33

supposed to authenticate to

ACS Version: 5.1.0.44

The ASA AAA config is basic, but it still won't play nicely:

aaa-server TACACS protocol tacacs

aaa-server TACACS (inside) host 10.10.65.10

key ****

aaa-server TACACS (inside) host 172.19.39.250

key ****

aaa authentication serial console LOCAL

aaa authentication ssh console TACACS LOCAL

aaa authentication telnet console TACACS LOCAL

aaa authentication http console TACACS

aaa authorization exec authentication-server

aaa-server TACACS protocol tacacs+

aaa-server TACACS (inside) host TACACS_1

aaa-server TACACS (inside) host TACACS_2

name 10.10.65.10 TACACS_1

name 172.19.39.250 TACACS_2

When you login via SSH, you get passed the authentication using AD credentials and are then prompted for the enable password just to get further. But there isn't/shouldn't be one... it should be the same as all other devices, which take you straight to privi level 15 once you get passed the AD creds.

The ACS shows a passed attempt in the Monitoring & Reporting section, but a packet trace shows a drop at Phase 2.

The AAA config and output from packet trace and and "test aaa" are below:

HOSTNAME/pri/act(config)# test aaa-server authentication TACACS username $

Server IP Address or name: 10.10.65.10

INFO: Attempting Authentication test to IP address <TACACS_1> (timeout: 12 seconds)

ERROR: Authentication Server not responding: No error

PACKET TRACE OUTPUT

Phase: 1

Type: ROUTE-LOOKUP

Subtype: input

Result: ALLOW

Config:

Additional Information:

in   0.0.0.0         0.0.0.0         inside

Phase: 2

Type: ACCESS-LIST

Subtype:

Result: DROP

Config:

Implicit Rule

Additional Information:

Result:

input-interface: inside

input-status: up

input-line-status: up

output-interface: inside

output-status: up

output-line-status: up

Action: drop

Drop-reason: (acl-drop) Flow is denied by configured rule

HOSTNAME/pri/act(config)# sh run aaa

aaa authentication serial console LOCAL

aaa authentication ssh console TACACS LOCAL

aaa authentication telnet console TACACS LOCAL

aaa authentication http console TACACS

aaa authorization exec authentication-server

It has been suggested that the ACS is not correctly setup, but the client confirms it is as all other devices are, although I suspect not...

I need to go back and debug aaa authentication and debug tacacs again, but in the meantime...

Any ideas please?

Thanks

Ali

Labels:
0 Helpful
6 Replies 6

Peter Koltl
Level 7
Level 7

‎10-21-2013 01:35 PM

aaa authentication enable console TACACS LOCAL 

ASA cannot place you straight into enable mode. You type enable then repeat your personal password to get into enable mode.

 
aaa   authentication enable console  tacacs   LOCAL
0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Peter Koltl

‎10-22-2013 02:23 AM

Hi Ali,

What you're seeing is a default behaviour. Users will not land directly to privilege exec on ASA/firewall mode like in IOS. This is by design.

Same discussion can be found here:

https://supportforums.cisco.com/thread/2201512

If you're getting a failed authentication or error in authorization then please make sure:

1.] Are you typing the same password as login password.

2.] We have assigned required privileges under policy elements > shell profile > edit the one you created and get the screen shot.

you may also go to monitoring and troubleshooting and check logs for failed authentication.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

ali-franks
Level 1
Level 1
In response to Jatin Katyal

‎10-22-2013 03:24 AM

Jatin/Peter,

Thanks very much for your input.

I'll go and tweak the required AAA bits (as we were trying different things yesterday) and get back to you.

Thanks again

Ali

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to ali-franks

‎10-22-2013 06:54 AM

Sure. Let us know if you need any further inputs to resolve this issue.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful

ali-franks
Level 1
Level 1
In response to Jatin Katyal

‎10-22-2013 07:27 AM

Hi Guys,

The client has decided to just stick with local creds while they troubleshoot something else that has cropped up.

I've had no feedback from your suggestions though, as the decision was out of my hands.

Thanks again for your input though guys, much appreciated.

KR

Ali

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to ali-franks

‎10-24-2013 09:03 AM

That's fine ali. Let us know if you need any further help.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin
0 Helpful
Customers Also Viewed These Support Documents