cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
3854
Views
0
Helpful
4
Replies

Exclude console access from Authorization - Cisco ASA

GarySLear
Level 1
Level 1

Hi, Heres my situation.

We have switches, routers and ASAs in our network, and 2 x ACS 5.2 over two locations.

All devices authenticate using AD via ACS failing to our remote ACS should there be a failure, this works fine on all types of management connections. SSH, Console, Http, VPNs etc.

Accounting to ACS is working fine, but this is not relevant.

Authorization is where im having a problem. I dont want command or exec authorization for console connections. On a router or switch, this is simple, i just dont configure authorization on line console 0, but do have authentication to local database as a backdoor and accounting is also configured and working fine.

Our ASA on the other hand, does command authorization when connected via console cable and on ssh sessions, i cant figure out a way to exclude console connections from the authorization. I cant find anything online and the commands available dont do what i need.

Im faced with the situation that if our primary ACS fails and the secondary unreachable (for whatever reason), i need to wait for the timeout values to expire for both ACS devices configured. I have lowered the value to 1 second which makes this a bit more bearable however i cannot believe that this option is not available.

Help Please!!!

4 Replies 4

Jatin Katyal
Cisco Employee
Cisco Employee

Unfortunately, There currently isn't any way to exclude command authorization from the serial console users while having it apply to other access methods. However this can be easily achieved by creating method list.

Regards,

Jatin

~Jatin

I have already created a method list as per below:

"aaa authorization command ACS LOCAL"

Unless i misunderstand what a method list is. The above "list" performs command authorization as per policies on our ACS, if the ACS is not responding then it uses the local authorization sets.

This already works just fine, however the delay that is caused when every command needs to look at both our ACS servers prior to looking at the local authorization sets is a bit annoying, especially if you were trying to troubleshoot an issue and under a great deal of pressure.

In our lab, we adjusted the timers down to 1 second, it takes between 3 and 4 seconds if the primary ACS is not responding for the command to be authorised.

So i assume in our real network, which has 2 ACS servers its going to take at least 7 seconds to respond and that doesnt take into account the secondary ACS is over a WAN link.

Im thinking that if we have a problem with our network, waiting 7 seconds after every command will be unbearable.

***UPDATE*** By setting the "max-failed-attempts" to 1 on the server group it marks the server as "down" a lot quicker, however this could introduce issues. Is there a way to leave it at the default (3 attempts) and ensure the server is kept as "marked down" untill it actually comes back up, bit of debug below:

ASA1(config)# sh run aaa-server

Marking server 192.168.2.106 down in servertag ACS

aaa-server ACS protocol tacacs+

max-failed-attempts 1

aaa-server ACS (inside) host 192.168.2.106

timeout 1

key *****

aaa-server ACS (inside) host 192.168.2.107

timeout 1

key *****

ASA1(config)# Marking server 192.168.2.107 down in servertag ACS

Marking server 192.168.2.106 in server tag ACS Up

Marking server 192.168.2.107 in server tag ACS Up

AAA_BindServer: No server found

ERROR: No error

As you can see, it marks the servers back up immediately and 192.168.2.107 doesnt exist!

I missed to write IOS at the end.

However this can be easily achieved by creating method list in case IOS.

There currently isn't any way to exclude command authorization from the  serial console users while having it apply to other access methods in case of ASA.

Regards,

Jatin

~Jatin

The plot thickens!

So, forgotting the idea of disabling it from the console completely, i dont think i can do this.

The 2 servers in the group should be marked as "down" and then the LOCAL method is used. This works

but..

they immediately come back up after the command has finished. so i have tried to add the following command under the server group:

"reactivation-mode depletion deadtime 50"

the way i understand this is that it will work through the servers in the group, if they are all down then it reactivates them. This is what im seeing, but, the "deadtime 50" should keep them down for 50 minutes.

BUT IT DOESNT WORK!!!