cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9080
Views
0
Helpful
12
Replies

ASA local login account w/ radius server

ronald.nutter
Level 1
Level 1

I have my ASA configured with a local account and it points to a radius server acting as a 2 factor token server. I can't get the local account to work if the ASA sees the radius server active. I can get this to work on any Cisco router or switch.

Anyone know how to of this ?

Ron

Sent from Cisco Technical Support iPhone App

1 Accepted Solution

Accepted Solutions

Hi Ronald,

I was looking around for a document on your query regarding ASA local databse. However there is no specific document on this.

The only thing I could find is the below listed link but I guess you've already read that.

The local database supports the following fallback functions:

Console and enable password authentication—If the servers in the group are all unavailable, the ASA uses the local database to authenticate administrative access, which can also include enable password authentication.

Command authorization—If the TACACS+ servers in the group are all unavailable, the local database is used to authorize commands based on privilege levels.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_aaa.html#wp1053512

 

~BR

Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

12 Replies 12

Jatin Katyal
Cisco Employee
Cisco Employee

Ronald,

I'm unsure how on the ASA the local account is working while radius is up and running. However on the switces/routers, you may use the below listed command. Use this command with the local method keyword to specify first so that the Cisco IOS will use the local username database for authentication at the first place. If the username will not be there then it would query the radius server.

(config)#aaa authentication login default local group radius

Make the local first for authorization also if required.

Before you execute the above command please create a local username/password with suitable privileges on the IOS (should be level 15 for admin).

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

The ASA is what I am asking about.  I have the local account working with the routers and switches.  That hasnt been a  problem.  ASA's are a little different.  In the past, as soon as the ASA sees a radius or tacacs host, it wont use the local account anymore until the radius or tacacs server it has been configured for are not responding.

What I am looking for is any configuration that anyone has used on a ASA that allows the local account to continue to be used EVEN IF a radius or tacacs server has been configured for authentication.  I ahve a manager swearing he has done this in the past but has yet to produce a configuration that substantiates this

I don't think this can be done on asa.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

That is what I am expecting to find.  My manager wants to see something in print from Cisco saying this wont work.  You just cant please some people.  I have been looking over the latest code version for the ASA and dont see anything different here.

The only thing I can see is the drop the timeout interval as low as possible to get a failed aaa server to be unused as soon as possible.  Havent been able to find anything more promising than that.

Ron

Ronald,

I can understand. Let me dig and see if I can find out something on this matter.

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Thanks for the help on this.  I have tried this up to and including ver 9.1 on the ASA.  As long as it sees an active auth server whether it is radius or tacacs, the local account cant be used until the auth server the configuration for isnt active. 

You can do this on a router or switch IOS but not on the ASA. It would be nice if you could consistently do it across all platforms.

Ron

Hi Ronald,

I was looking around for a document on your query regarding ASA local databse. However there is no specific document on this.

The only thing I could find is the below listed link but I guess you've already read that.

The local database supports the following fallback functions:

Console and enable password authentication—If the servers in the group are all unavailable, the ASA uses the local database to authenticate administrative access, which can also include enable password authentication.

Command authorization—If the TACACS+ servers in the group are all unavailable, the local database is used to authorize commands based on privilege levels.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/guide/asa_84_cli_config/access_aaa.html#wp1053512

 

~BR

Jatin Katyal

**Do rate helpful posts**

~Jatin

Thanks for your help on this.  Unfortunately my manager still insists that this can be done.

Yes I have read the document that you listed and several others.  I have worked with ASA's for 10 years now and never had this work any other way than what I have found.

Thanks,

Ron

Even though this is an old thread, came here hoping to solve the same problem ... seems like a dumb feature imo.

We wanted to configure the ASA with a "backdoor" account in case an administrator account became locked out.

The only way we found a workaround was to create a new connection profile and set it to LOCAL only.

We were trying to avoid using multiple Connection Profiles since some users have a hard time grasping the procedure of using VPN.

I really wish there was an alternative to local login with AAA Server active that didn't require a separate Connection Profile.

Alas, Cisco fails to meet the needs.

Well if you want to create a new Connection profile and not populate in the dropdown list, don't specify a Group-alias for that connection profile. You can then specify a separate group-url that the admin users can go to in case they need backdoor access with local login access. 

kaaftab
Level 4
Level 4

wel the basic authentication method remains the same through out the cisco devices but it would be better if you can share the configuration with us

I will have to respectfully disagree with you.  While you can have a local account and use it on routers and switches while a authentication server is active, the same it not the case on the ASA. 

I have yet to find a AAA configuration available from Cisco's website or any other that allows the local account to be active at the same time there is a AAA server is active.

I have tried all of the configurations available from several tech notes/pubs on Cisco's website and havent found a configuration that will do this on the ASA.