Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4644
Views
0
Helpful
6
Replies

Cisco ASA with ACS 5.3 Network Authorization

mohamed fayz
Level 1
Level 1

‎09-26-2012 10:06 AM - edited ‎03-10-2019 07:35 PM

Hai,

Anyone please let me know my issue.

I have configured cisco ASA 5550 with code 8.4.4(5), Integrated with ACS 5.3. Authentication for the ASA with AD via acs is working smoothly. But when i configured AAA Auhtorization tacacs+ in asa, it is entering upto privilege mode ,  when i tried to access any other command, it is showing        " command authorization failed " . i had given privilege level 15 and allowed all commanda in authorization rule in ACS 5.3.

  when i configue "AAA authorization local "  in  ACS, it is working fine, but via tacacs it is not.

Please anyone suggest me, how can i give authorization to ASA via ACS. i only configured AAA authorization tacacs+ command in ASA for authorization. Is ther any other command neede in ASA??? please suggest.

thank you,

Fayz

Labels:
0 Helpful
6 Replies 6

hkhrais
Level 1
Level 1

‎09-26-2012 10:42 AM

Please post ur ASA aaa condiguration

Sent from Cisco Technical Support Android App

0 Helpful

mohamed fayz
Level 1
Level 1
In response to hkhrais

‎09-26-2012 10:49 AM

Hi Hussam,

Thanks for your reply,

Please check the below command which i added in ASa

aaa authentication http console TACACS+ LOCAL

aaa authentication telnet console TACACS+ LOCAL

aaa authentication ssh console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+ loCAL

aaa authorization exec authentication-server

Regards,

Fayz

0 Helpful

Miguel Morinigo
Level 1
Level 1

‎09-26-2012 12:56 PM

Hi Mohamed,

Your definition of AAA's fine.

I also had the same issue, then to fix I did was:

Just change the parameters:

Acess Policies > ... > Access Services > Default Device Admin > Authorization

I put the following permissions, see attached images:

  

     

I hope will be useful for you.

Regards

Miguel

0 Helpful

mohamed fayz
Level 1
Level 1
In response to Miguel Morinigo

‎09-26-2012 10:32 PM

Dear Michale,

Thank you for your time for me,

I had done the same also in my acs 5.3. I created authorization profile with shell profile privilege level 15 and command set allow all commands. But no Luck

0 Helpful

mohamed fayz
Level 1
Level 1
In response to mohamed fayz

‎09-27-2012 02:01 AM

Hi ,

Finally its done.

in ACS tacacs authorization tab, it is showing subject not found in the applicable identity store for the username enable_15 !!!

i don't know what is this username means .  but after adding this username in acs user identity, it is working fine 

0 Helpful

Miguel Morinigo
Level 1
Level 1

‎09-27-2012 09:18 AM

Hi Mohamed,

If you coul login to the ASA using Internal User created in ACS and not using AD user its because in your:

Access Policies > Access Services > Default Device Admin > Identity

Probably using Internal Users, instead of AD Identity Store.

You can use a sequence in Store

Users and Identity Stores> Identity Store Sequences

Using both Internal User and AD Users.

And the definition of:

Access Policies> Access Services> Default Device Admin> Identity

Defines the Identity Store Sequences and used this sequence.

Both should work for local users defined in the ACS and AD.

Let me know if, its work for you.

--

..

0 Helpful
Customers Also Viewed These Support Documents