02-09-2012 03:54 AM - edited 03-10-2019 06:48 PM
Hello netpro
how to Config the ACS 4.2 server runs in TACACS + mode (users accounts configured the ACS) mode to authenticate enable mode password on the asa using the same AD account?
thanks
02-09-2012 08:37 AM
Hello,
My understanding is that you have configured ACS Internal User accounts with Password Authentication against AD as follows:
Screenshot of User Setup for a specific account:
Now, you would like to configure the ACS to check the Enable Password authentication on the ASA for that same ACS Internal User account against AD. Access the ASA enable mode with the AD password as well. In that case you need to enable the TACACS+ features for the user account under Interface Configuration > TACACS+ (Cisco IOS) > and check "Advanced TACACS+ Features".
Go back to the ACS user account and scroll down to: TACACS+ Enable Password and select Windows Database option:
If this was helpful please rate.
Regards.
02-10-2012 10:42 AM
Hi Carlos
TACACS + Outbound Password for what purpose
Thanks
02-10-2012 10:47 AM
Hello,
TACACS+ Outbound Password
TACACS+ Outbound Password enables a AAA client to authenticate itself to another AAA client or end-user client via outbound authentication. The outbound authentication can be PAP, CHAP, MS-CHAP, or ARAP and results in the ACS password being given out. By default, the user's ASCII/PAP or CHAP/MS-CHAP/ARAP password is used. To prevent compromising inbound passwords, you can configure a separate SENDAUTH password. Use this feature only if you are familiar with TACACS+ SendAuth/OutBound password.
For your specific scenario you can leave it blank. I just forgot to delete the default "dots" that the ACS adds to the user account.
Regards.
02-10-2012 11:05 AM
Thanks carlos for the reply
can y post me the recommended configuration on routers and switch for AAA ACS Tacacs + mode in term of authentication authorization and accounting
thanks
02-10-2012 11:45 AM
THello,
aaa new-model
aaa authentication login default group tacacs+local
aaa authorization exec default group tacacs+ local
aaa authorization config-commands aaa authorization commands 0 default group tacacs+ local aaa authorization commands 1 default group tacacs+ local aaa authorization commands 15 default group tacacs+ localaaa accounting exec default start-stop group tacacs+
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
tacacs-server host 10.1.1.1 tacacs-server key cisco123
The appropriate configuration order should be:
1) Define the server:
tacacs-server host 10.1.1.1 tacacs-server key cisco123
2) Perform the test authentication command to confirm connectivity:
test aaa group tacacs
3) Define the login authentication command:
aaa authentication login default group tacacs+local
4) Configure the TACACS+ server with the appropriate Enable and Shell (EXEC) Privilege level 15 and configure IOS for authorization:
aaa authorization exec default group tacacs+ local
5) Configure the TACACS+ server with the allowed or restricted command sets based on user/group and then configure Command Authorization:
aaa authorization config-commands aaa authorization commands 0 default group tacacs+ local aaa authorization commands 1 default group tacacs+ local aaa authorization commands 15 default group tacacs+ local
6) Configure TACACS+ accounting:
aaa accounting commands 0 default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
NOTE: AAA configurations can end up on lockouts. The above should be the appropriate order to configure the AAA command assuming that the server configuration is the appropriate one to pass Authentication and Authorization checks.
If this was helpful please rate.
Regards.
02-11-2012 01:52 AM
Thanks Carlos
do you need to Apply the above confige to VTY and Console line?
02-11-2012 04:34 AM
The answer is NO because if you see the above commands you would notice "default" keyword that means the commands is auto applied on all the lines vty, console, aux.
If you need to exclude any line or console/ aux you may need to create method list and then apply it on the respective lines.
For instance
aaa authentication login NOACS none
line console 0
login authentication NOACS
This way you can exempt the console session from the authentication process.
http://www.cisco.com/en/US/docs/ios/security/command/reference/sec_a1.html#wp1088074
Regards,
Jatin
Do rate helpful posts-
02-11-2012 07:35 AM
Hi Jatin
if i defined NOACS on the console,so how i can track other admin connected to the device via console,since i have 4 admins
02-11-2012 08:02 AM
That was just an example to clear the difference between default method and method list.
Regards,
Jatin
02-11-2012 08:10 AM
Could y please provide sample config in order to track the local admin when they connect to device using console line
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide