cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
665
Views
0
Helpful
1
Replies

ISE TACACS - ASA AAA console

Cengiz Savas
Level 1
Level 1

Hello,

I am running ISE 2.4 and ASA v9.9 in my lab setup.

I have two user on ISE and assign different priv-level to these users:

  • on-admin: PRIV15
  • on-read: PRIV3

Both user accounts on ISE has username/password as well enable password.

 

My ASA config: 

 

on-asa5506# sh run aaa
aaa authentication http console LOCAL
aaa authentication serial console ON-TACACS LOCAL
aaa authentication enable console ON-TACACS LOCAL
aaa authentication ssh console ON-TACACS LOCAL
aaa authorization command ON-TACACS LOCAL
aaa authorization exec authentication-server auto-enable
aaa authentication login-history
on-asa5506#

 

When I authn on console with on-read (PRIV3), I can login successfully but cannot get not enable mode with my saved password in ISE.

Username: on-read
Password: **********
User on-read logged in to on-asa5506
Logins over the last 1 days: 1.
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
on-asa5506> en
Password: **************
Password: **************
Password:

 

ISE Logs shows following error message:

 

When I SSH with same user, I am directly in enable mode but with priv=3

login as: on-read
on-read@192.168.2.1's password:
User on-read logged in to on-asa5506
Logins over the last 1 days: 3. Last login: 11:07:37 CEDT Aug 16 2019 from 192.168.2.60
Failed logins since the last login: 0.
Type help or '?' for a list of available commands.
on-asa5506# sh cur
Username : on-read
Current privilege level : 3
Current Mode/s : P_PRIV
on-asa5506#

 

Can someone help to understand this behaviour?

 

Thanks in advance.

 

Cengiz

1 Reply 1

Cengiz Savas
Level 1
Level 1
I have just recognised that my screenshot is corrupted. Here is the ISE log message:
Message Text Failed-Attempt: Authentication failed
Failure Reason 13029 Requested privilege level too high
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: