11-24-2019 12:40 AM - edited 11-24-2019 01:18 AM
hi,
i setup a simple lab between ISE and CSRv for AAA/RADIUS.
i added the device and user in ISE and it works, but not for the enable password on the router.
it still uses the 'local' configured enable password.
i also couldn't SSH to ASA using the ISE user login. i tried to change PW, created john-ise2, re-created ASA AAA and RADIUS config but no luck.
could someone please advise what i've missed or anything to tweak in ISE?
User Access Verification
Username: john-ise
Password:
CSRv>enable
Password:
% Access denied
CSRv>en
Password: <<< LOCAL ENABLE PW
CSRv#
CSRv#sh run | s radius
aaa authentication login ACCESS-1 group radius local
aaa authorization exec ACCESS-1 group radius local
aaa accounting exec ACCESS-1 start-stop group radius
snmp-server enable traps sbc radius-conn-status
radius server RADIUS-1
address ipv4 192.168.1.120 auth-port 1645 acct-port 1646
key cisco
CSRv#
CSRv#ping 192.168.1.120
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.1.120, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 2/3/5 ms
---
login as: john-ise2
End of banner message from server
john-ise2@192.168.1.1's password:
Access denied
john-ise2@192.168.1.1's password:
Access denied
john-ise2@192.168.1.1's password:
LAB-ASA5515x# sh run aaa
aaa authentication http console LOCAL
aaa authentication ssh console RADIUS-1 LOCAL
aaa accounting ssh console RADIUS-1
aaa authorization exec authentication-server
aaa authentication login-history
LAB-ASA5515x#
LAB-ASA5515x# sh run aaa-server
aaa-server RADIUS-1 protocol radius
aaa-server RADIUS-1 (inside) host 192.168.1.120
key cisco
LAB-ASA5515x# test aaa authentication RADIUS-1 username john-ise2 password Cisco123
IP Address or name: 192.168.1.120
INFO: Attempting Authentication test to IP address (192.168.1.120) (timeout: 12 seconds)
INFO: Authentication Successful
11-24-2019 01:44 AM
Hi @johnlloyd_13 ,
Hope you are well!
I see from the screenshot that you are not pushing any privilege. You are just sending sending Access-Accept.
Can you please create an Authorization profile for CSR with privilege 15 and push that?
To add the privilege attribute, just select the 'Web Authentication (Local Web Auth)' attribute?
Also, I am assuming you are using ACCESS-1 method list in the vty lines. Are you?
line vty 0 15
login authentication ACCESS-1
authorization exec ACCESS-1
11-24-2019 02:31 AM
On the IOS you are missing the "aaa authentication enable " command. you need it. otherwise it will use the default local.
on the ASA what is this command and why it is pointing to a different aaa group?
aaa authorization exec authentication-server
11-24-2019 04:14 AM - edited 11-24-2019 05:00 AM
hi,
i added the privilege 15 profile and AAA authentication for enable but still the same.
i tried to debug and got a 'password incorrect' even though i used to same PW for login and enable on ISE user 'john-ise'
CSRv#sh run | i aaa
aaa new-model
aaa authentication login ACCESS-1 group radius local
aaa authentication enable default group ACCESS-1 enable
aaa authorization exec ACCESS-1 group radius local
aaa accounting exec ACCESS-1 start-stop group radius
aaa session-id common
snmp-server enable traps aaa_server
CSRv#
CSRv#sh run | s line vty
line vty 0 4
password cisco
authorization exec ACCESS-1
accounting exec ACCESS-1
login authentication ACCESS-1
transport input all
CSRv#debug aaa authentication
AAA Authentication debugging is on
CSRv#
CSRv#ter mon
.Nov 24 12:09:55.489: AAA/BIND(00000FC3): Bind i/f
.Nov 24 12:09:55.489: AAA/AUTHEN/LOGIN (00000FC3): Pick method list 'ACCESS-1'
.Nov 24 12:10:03.028: AAA: parse name=tty3 idb type=-1 tty=-1
.Nov 24 12:10:03.028: AAA: name=tty3 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=3 channel=0
.Nov 24 12:10:03.028: AAA/MEMORY: create_user (0x7FD2F9B9DDE0) user='john-ise' ruser='NULL' ds0=0 port='tty3' rem_addr='192.168.1.100' authen_type=ASCII service=ENABLE priv=15 initial_task_id='0', vrf= (id=0)
.Nov 24 12:10:03.029: AAA/AUTHEN/START (1022751880): port='tty3' list='ACCESS-1' action=LOGIN service=ENABLE
.Nov 24 12:10:03.029: AAA/AUTHEN/START (1022751880): using "default" list
.Nov 24 12:10:03.029: AAA/AUTHEN/START (1022751880): Unknown type for server group "ACCESS-1". Skip it
.Nov 24 12:10:03.029: AAA/AUTHEN (1022751880): status = UNKNOWN
.Nov 24 12:10:03.029: AAA/AUTHEN/START (1022751880): Method=ENABLE
.Nov 24 12:10:03.030: AAA/AUTHEN (1022751880): status = GETPASS
.Nov 24 12:10:05.889: AAA/AUTHEN/CONT (1022751880): continue_login (user='(undef)')
.Nov 24 12:10:05.889: AAA/AUTHEN (1022751880): status = GETPASS
.Nov 24 12:10:05.890: AAA/AUTHEN/CONT (1022751880): Method=ENABLE
.Nov 24 12:10:05.890: AAA/AUTHEN(1022751880): password incorrect
.Nov 24 12:10:05.890: AAA/AUTHEN (1022751880): status = FAIL
.Nov 24 12:10:05.890: AAA/MEMORY: free_user (0x7FD2F9B9DDE0) user='NULL' ruser='NULL' port='tty3' rem_addr='192.168.1.100' authen_type=ASCII service=ENABLE
i can now login to ASA using ISE user account. i just re-created the AAA/RADIUS config. i saw the RADIUS live log there's a wrong password or shared key earlier.
login as: john-ise
Pre-authentication banner message from server:
| ### ASA SENSS LAB ###
End of banner message from server
john-ise@192.168.1.1's password:
User john-ise logged in to LAB-ASA5515x
Logins over the last 35 days: 1.
Failed logins since the last login: 38. Last failed login: 12:21:45 UTC Nov 24 2019 from 192.168.1.100
Type help or '?' for a list of available commands.
LAB-ASA5515x>
11-24-2019 04:18 AM
Remove this line from vty:
password cisco
And, if your privilege is 15 and successfully authorized, you wouldn't need this aaa authentication enable default group ACCESS-1 enable
So remove it and test.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide