06-05-2007 12:47 PM - edited 03-10-2019 03:11 PM
I managed to get authentication on easy enough but now am having difficulty getting authorization to work properly. I have auth/author turned on for my IOS stuff so any techs logged in will have rights based on what I give them on secure ACS. However I can't get the same to work on PIX code. I can log in fine with aa authentication but it still prompts me for the enable password. End result is I want to be able to login just once (and enabled). Any white papers that can point me the right way?
Solved! Go to Solution.
06-06-2007 05:52 AM
Hi,
What you want to do, can be accomplished, try following instructions in the PDF file attached.
And as you want to give ASDM access, then make sure that you let support user have privilege to run all show commands, i.e. show----(check) permit unmatched arguments.
Let me know.
Regards,
Prem
06-05-2007 03:01 PM
Hi,
PIX/ASA works in a different way then IOS devices does.
what you seek is not possible. We do not have something as EXEC authorization on PIX/ASA, so we cannot go directly into enable/privileged mode.
Reason for this is, Under normal circumstances, the AAA server could reply to the initial authentication/authorization request with "priv-lvl", and the users session would assume this level, without having to enter and additional commands (like
But such feature is not available on PIX/ASA.
Regards,
Prem
06-06-2007 05:31 AM
Thank you, Prem. here is my concern. When I enable AAA access on the firewalls, from what you said there is no way for me to govern what rights a tech has when accessing the device? I want to establish the same restrictions as the IOS gear I have where normal techs will only have certain commands and others have full command. The way it is now, anyone with an account on Secure ACS can access it via ASDM.
EDIT:
Also I'm a little confused about the various fields on the AAA Access (from Device Access) tab. In Authentication, there is an option to toggle to require auth to be able to use enable mode. I am not sure how this auth against our ACS server (i checked the various settings in ACS and enabled what I think are all PIX commands to permit enable) and it doesn't work. I entere the enable password when I telnet in and I get auth failed when running any commands.
Also there is an Authorization tab which I am assuming allows to you to push down rights from an aaa server? Where on the ACS can I configure that?
06-06-2007 05:52 AM
Hi,
What you want to do, can be accomplished, try following instructions in the PDF file attached.
And as you want to give ASDM access, then make sure that you let support user have privilege to run all show commands, i.e. show----(check) permit unmatched arguments.
Let me know.
Regards,
Prem
06-06-2007 07:05 AM
Thank you. Unfortunately not working as well. I checked the logs on the SecureACS and it seems to be using the enable_15 account to do commands instead of my user account.
06-06-2007 08:23 AM
Hi,
Are you sure that you have entered the exact same command as in PDF?
Can you send me the sh run?
Regards,
Prem
06-06-2007 08:34 AM
EDIT: Nevermind, I missed this command:
aaa authentication enable console aaa-server group
It works now!
Thanks!
06-06-2007 09:02 AM
Hi, I have tried this exact setup, and on every PIX/ASA I encountered Console problems. I am not able to login via the console at all, it keeps prompting for username and rejects whatever user I throw at it. I can ssh and HTTPs OK the way I want to, but in order to get console to work, I have to disable the authorization command.
aaa authentication http console Tacacs+ LOCAL
aaa authentication ssh console Tacacs+ LOCAL
aaa authentication serial console Tacacs+ LOCAL
aaa authentication enable console Tacacs+ LOCAL
aaa authorization command Tacacs+ LOCAL
So I wind up setting just the ssh to use Tacacs, and leave off the authorization. Users can log in, but need to know the enable password to go further.
EDIT: I forgot to add, if I set aaa authentication serial console LOCAL, I can log in as local user, but not into enable mode.
06-06-2007 11:05 AM
I found the problem, stupid tacacs server! We have a home grown Linux server that we use for Tacacs. What I found was the console was sending the requests to the server, and getting rejected. The reason being the console sends 0.0.0.0 as it's IP address. Some of the security I built into the Tacacs+ server to stop attacks was an ACL, if you arent on the ACL you will not get authenticated, even if your user/password are correct. I added 0.0.0.0 without a subnet mask and it worked. I have a second default ACL with 0.0.0/0 for testing and that one did not work either, it specifically needed 0.0.0.0. Stupid tacacs.
10-24-2008 12:57 AM
Hi, I also did same configuration but, when we lose connection to tacacs it does not return to enable credentials, ie it does not except the enable password configured at local database. does anyone know the reason and to make it work as configured.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide