01-23-2009 05:03 AM - edited 03-10-2019 04:17 PM
Hello!
We have ASA with software 7.2.4 configured for AAA on ACS v4.2.
Configuration is as follows:
aaa-server TAC protocol tacacs+
aaa-server TAC (mgmt) host 192.168.1.11
key cisco
aaa-server RAD protocol radius
key cisco
aaa-server RAD (mgmt) host 192.168.1.11
aaa authentication http console RAD LOCAL
aaa authentication serial console RAD LOCAL
aaa authentication ssh console RAD LOCAL
aaa authentication enable console TAC LOCAL
aaa authorization command TAC LOCAL
aaa accounting ssh console TAC
aaa accounting command TAC
Everything is working fine except access to privileged mode while connecting over console port. Console port authentication is working OK.
Because of multiple context, after logging in we enter System context.
After issuing "enable" command ASA accepts only configured enable secret in system context and changes user ID to enable_15, so we are unable to do user-level command authorization and accounting.
It seems that ASA in system context is not aware of any AAA configuration, and there isn't any command to configure AAA in system context.
Is there any way to configure enable authentication over AAA in system context?
Thanks in advance!
Marko
01-30-2009 03:31 PM
Your security appliance is possibly already configured for multiple security contexts dependent upon how you ordered it from Cisco, but if you upgrade, you might need to convert from single mode to multiple mode. This section explains the procedures to upgrade. ASDM does not support changing modes, so you need to change modes with the CLI.
When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files. The original startup configuration is not saved, so, if it differs from the running configuration, you must back it up before you proceed.
01-30-2009 04:05 PM
Hello!
I assume that you misunderstood my question. Our appliance is running in multiple context mode and AAA in context is configured as it should be (look configuration in first post).
Problem is, if you log into ASA over console port you can enter enable mode with user credentials only if you have users defined local in System space. In system space you can't define AAA commands.
Kind regards,
--
Marko
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide