06-28-2011 10:16 AM - edited 03-10-2019 06:11 PM
I am trying to get our ACS to authenticate login sessions to our PIX and ASA devices. Can anyone provide a sample configuration that will push all access to these devices to the ACS for TACACS? THE ACS has been configured and is ready for authentication based on username credentials; it is just the configuration on the firewall I am having problems with.
Thanks in advance for any help :- )
06-29-2011 11:14 PM
Assuming following
ACS-SERVER-IP=172.16.10.25
ACS-SERVER-NAME: TLS-ACS5
ACS-ASA shared secret: mysecret
user-in-acs: myfirewall
password: myasa
Run this command in ASA
aaa-server TLS-ACS5 protocol tacacs+
aaa-server TLS-ACS5 (inside) host 172.16.10.25
key mysecret
aaa authentication ssh console TLS-ACS5 LOCAL
aaa authentication telnet console TLS-ACS5 LOCAL
Test Authentication
test aaa authentication TLS-ACS5 host 172.16.10.25 username myfirewall password myasa
Test result should come OK
07-19-2011 07:59 AM
Hi thanks for that.
I have tested this on a PIX and everything worked!
08-02-2011 09:14 AM
Hi Roshan,
Can you advise how I might go about authenticating access to exec-privialge on the FW against the ACS? I cannot find any any configuration examples.
08-03-2011 03:15 AM
Hi,
After having another look at this this morning the command "aaa authentication enable console TLS-ACS5 LOCAL" can be used to authenticate the users exec-priv password against TACACS+.
:-)
08-08-2011 05:13 AM
On testing the above even further, I seem to have an issue...
With the following configuration loaded...
aaa-server TLS-ACS5 protocol tacacs+
aaa-server TLS-ACS5 (inside) host 10.0.20.200
key passme123
aaa authentication ssh console TLS-ACS5 LOCAL
aaa authentication telnet console TLS-ACS5 LOCAL
aaa authentication ssh console TLS-ACS5 LOCAL
aaa authentication telnet console TLS-ACS5 LOCAL
aaa authentication enable console TLS-ACS5 LOCAL
With the PIX in communication with the ACS the above works well, with me successfully logging in with credentials added to the ACS.
On testing this further I have taken the link down between the PIX and the ACS (to recreate a failure scenario). I can still login using the internal (LOCAL) username & password. This seems to work fine, however if I try to access the exec-privilege mode (i.e. enable) the PIX does not except the enable password added to the configuration moreover it prefers the same password used for creating the initial user.
username admin-user password adminpass123 encrypted
enable password enablepass123 encrypted
For example; with the above lines in the running configuration of the PIX , I can login into PIX using admin-user and enter the password adminpass123. However, if I try and then go onto access exec-privilege mode (i.e. enable) the PIX does not except the password "enablepass123" put does except "adminpass123"... this is even with "aaa authentication enable console TLS-ACS5 LOCAL" added to the running configuration.
Has anyone else seen this issue on a PIX/FW. Am I missing something from my configuration? Does anyone know of a workaround to this issue or is it just something I have to live with?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide