Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4589
Views
5
Helpful
6
Replies

Cisco ASA enable password with ISE TACACS+

Go to solution
vsurresh
Level 1
Level 1

‎04-25-2021 08:19 AM

Hello.

 

I'm hoping to get some help with ASA enable password behaviour with ISE + AD. I was trying to google search but can't seem to find the answer.

 

At the moment we use internal identity source for ASA TACACS+ access. For internal identity users, there is an option to setup enable password. If I leave that field empty, I can't go the privilege exec mode even though the TACACS profile is configured with privilege 15. 

 

My question is, what will happen if I want to use AD groups instead of the internal store? There is no enable password for AD, of course. Is there a way to use the same login password for enable mode as well?

 

I understand using aaa authorization exec authentication-server auto-enable command will automatically brings me to the privilege prompt but I would like the users to type enable and then go to privilege mode. 

 

ASA aaa configs shown below

 

aaa authentication ssh console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authentication serial console TACACS LOCAL
aaa authorization command TACACS LOCAL
aaa accounting enable console TACACS-1
aaa accounting serial console TACACS-1
aaa accounting ssh console TACACS-1
aaa accounting telnet console TACACS-1
aaa authorization exec authentication-server 
aaa authentication login-history

Thanks

1 Accepted Solution

Accepted Solutions

Go to solution
vsurresh
Level 1
Level 1
In response to balaji.bandi

‎04-26-2021 02:23 AM

Thanks. I just found this guide from 2013. https://community.cisco.com/t5/network-access-control/use-ad-account-for-auth-with-separate-enable-password-stored-on/td-p/2230659

 

'The command you mentioned would server the same purpose. If you're using AD then your enable password would be same as login password.'

View solution in original post

0 Helpful
6 Replies 6

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame

‎04-25-2021 11:23 AM

 

What is the issue you encounter now  - I do not see any configuration issue high level until we know the issue.

 

If you like to use AD as the source, you need to configure in ISE with AD Integration, so TACACS will use your AD account as a source for the user to get authenticated.

 

https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200208-Configure-ISE-2-0-IOS-TACACS-Authentic.html

 

as soon as you enable AAA Local account not longer works, it only fall back if no TACACS server not available or reachable.

 

 

aaa authorization exec authentication-server auto-enable   - yes your understanding is correct

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
vsurresh
Level 1
Level 1
In response to balaji.bandi

‎04-25-2021 11:41 AM

Thanks for your response. 

 

As you can see, for ISE internal users, there is an option to set the enable password alongside login password. If I leave the enable password field empty, I can only login to ASA user-exec mode using the login password. Moving to priv-exec mode keeps failing (I used the same login password for privilege escalation)

 

What will happen to the enable password when AD is used as the source? On my previous place, I used to type the same AD password for both login and privilege escalation.

 

Hope this make sense. Screenshot 2021-04-25 at 19.31.52.png

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to vsurresh

‎04-25-2021 11:53 AM - edited ‎04-25-2021 11:53 AM

how about this command :

 aaa authorization exec LOCAL auto-enable

 

aaa authorization exec { authentication-server | LOCAL } [ auto-enable ]

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a1.html

 

 

auto-enable

Enables administrators who have sufficient authorization privileges to enter privileged EXEC mode by entering their authentication credentials once.

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
vsurresh
Level 1
Level 1
In response to balaji.bandi

‎04-26-2021 02:23 AM

Thanks. I just found this guide from 2013. https://community.cisco.com/t5/network-access-control/use-ad-account-for-auth-with-separate-enable-password-stored-on/td-p/2230659

 

'The command you mentioned would server the same purpose. If you're using AD then your enable password would be same as login password.'

0 Helpful

Go to solution
balaji.bandi
Hall of Fame
Hall of Fame
In response to vsurresh

‎04-26-2021 04:52 AM

yes nice to know that what i meant to say - may be missed some how, glad you able to get what you looking ?

 

BB

=====Preenayamo Vasudevam=====

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Go to solution
vsurresh
Level 1
Level 1
In response to balaji.bandi

‎04-28-2021 12:25 AM

I haven't tested it yet but should work I believe. Appreciated your help. 

0 Helpful
Customers Also Viewed These Support Documents