Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2579
Views
0
Helpful
3
Replies

ASA in MultiContext mode and AAA

endpoint
Level 1
Level 1

‎02-21-2011 01:15 PM - edited ‎03-10-2019 05:50 PM

Hi

have two firewalls (ASA5540, ver8.2); one configured in multi mode (called A) and second configured in single mode (called B).

Have Cisco ACS setup to perform AAA for both firewalls. Both (A,B) can authenticate using ACS (tacacs+) no problem. Local cauthorization is setup as fallback if ACS does not work.

For firewall A (single mode) the ACS can perform authentication, authorization and accounting. Have setup a readonly and full access groups in ACS to provide readonly (only limited show commands available) and full access (read write) to firewalls. This works very well.

Firewall B (in multimode) can provide authentication and accounting OK (not alll accounting info but some login messages are available), but cannot provide authorization. Simple, that option is not available in ASDM (user setup/AAA) and only LOCAL is available for authorization.

Entering from CLI "aaa authorization command TACACS-ACS LOCAL" on firewall B, the message back say that only tacacs+ and local methods are available.

Entering "aaa authorization command tacacs+ local" on firewall B, the message back say that local method is not defined but tacacs+ argument does not bring any errors.

Bellow are commands entered in firewall A and are working fine:

aaa-server RADIUS-ACS protocol radius
aaa-server RADIUS-ACS (inside) host 1.1.1.2
key xxxxx
aaa-server TACACS-ACS protocol tacacs+
aaa-server TACACS-ACS (inside) host 1.1.1.2
key xxxxx
aaa authentication ssh console TACACS-ACS LOCAL
aaa authentication http console TACACS-ACS LOCAL
aaa authentication enable console RADIUS-ACS LOCAL
aaa authorization command TACACS-ACS LOCAL
aaa accounting ssh console RADIUS-ACS
aaa accounting command TACACS-ACS
aaa accounting telnet console RADIUS-ACS

Questions: is multimode firewall behive different then singel mode when it comes to AAA?

If it does, how to setup AAA on multicontext firewall? Thur system, admin or individual contexts?

What command(s) are missing from bellow to make multicontext authorized by AAA?

i am trying to avoid entering autheorization commands and levels on every context individually.

Constructive feedback appreciated.

Regards,

Labels:
0 Helpful
3 Replies 3

andamani
Cisco Employee
Cisco Employee

‎02-22-2011 01:00 AM

Hello,

I guess you will have to configure the AAA configuration on individual contexts.

The following link throws some light on the same.

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml

It says:

The system execution space does not support any  AAA commands, but you can configure its own enable password, as well as  usernames in the local database to provide individual logins.

Hope this helps.

Regards,

Anisha

P.S.: Please mark this thread as answered if you feel your query is resolved. Do rate helpful posts.

0 Helpful

endpoint
Level 1
Level 1
In response to andamani

‎02-22-2011 08:27 AM

thanks for reply; i found the right config for multimode:

aaa authentication ssh console TACACS-ACS LOCAL
aaa authentication enable console RADIUS-ACS LOCAL
aaa authentication http console TACACS-ACS LOCAL
aaa authorization command TACACS-ACS LOCAL
aaa accounting ssh console RADIUS-ACS
aaa accounting command TACACS-ACS
aaa accounting enable console TACACS-ACS

Thanks for a link; red it already :-)

Regards.

0 Helpful

andamani
Cisco Employee
Cisco Employee
In response to endpoint

‎02-22-2011 08:57 AM

That is nice.

please mark this thread as answered so that others can benefit from it.

Regards,

Anisha.

0 Helpful
Customers Also Viewed These Support Documents