cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
34620
Views
77
Helpful
14
Replies

Login to ASA with Enable Mode

Scott Pickles
Level 4
Level 4

I've seen some posts on the forum regarding the use of AAA to login to an ASA in enable mode.  I'm using a Server 2008 R2 NPS server, and I can successfully login.  However, I'm using the NPS server to send back the Cisco AV-pair for 'priv-lvl=15'.  I am expecting to login to the ASA and be in enable mode.  I have seen other posts reference TACACS+, but we don't have ACS.  Is TACACS+ a requirement for this?  I remember reading in some other forums that it's a security feature on the ASA to not allow logging in directly to the enable mode.

Regards,
Scott

2 Accepted Solutions

Accepted Solutions

Richard Burts
Hall of Fame
Hall of Fame

Scott

I believe that you are correct that it is a security feature of the ASA that it will not allow you to login to the ASA and go directly to enable mode. I believe that this is the behavior whether the authentication servers uses TACACS or any other authentication protocol.

HTH

Rick

HTH

Rick

View solution in original post

This works for local accounts only on the ASA, you cannot getting into enable mode directly via SSH using Radius or LDAP.  This is because this is a security device.

View solution in original post

14 Replies 14

Richard Burts
Hall of Fame
Hall of Fame

Scott

I believe that you are correct that it is a security feature of the ASA that it will not allow you to login to the ASA and go directly to enable mode. I believe that this is the behavior whether the authentication servers uses TACACS or any other authentication protocol.

HTH

Rick

HTH

Rick

Hi,

Actually it is possible - i can't be sure if it is the new version of ASA that allows it.

I am running asa916-k8.bin on 5510

 

The command is aaa authorization exec LOCAL auto-enable

 

When I ssh to my ASA, I enter my username and password and I am at priv exec mode straight away.

Try it and let me know.

Ravi L

Ravi L

 

That is an interesting development. Thanks for letting us know that the behavior of ASA has changed.

 

HTH

 

Rick

HTH

Rick

This works for local accounts only on the ASA, you cannot getting into enable mode directly via SSH using Radius or LDAP.  This is because this is a security device.

Works fine with ssh with Tacacs authentication!

The command you need for ssh against tacacs to work is:
aaa authorization exec authentication-server auto-enable

That is correct, For all the years ASA dev team would not entertain to add this feature but finally they made the change beginning code 9.2.1 where they introduced the "Auto-enable" command

 

aaa authorization exec { authentication-server | LOCAL } [ auto-enable ]

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a1.html

 

 

auto-enable

Enables administrators who have sufficient authorization privileges to enter privileged EXEC mode by entering their authentication credentials once.


aaa authorization exec { authentication-server | LOCAL } [ auto-enable ]


too bad this does not seem to work with pubkey authentication

(trying on Version 9.1(6) )

 

Thank you Ravi, it works!!

Pretty sure the answer saying its not possible is wrong

no dear you are wrong, just tried it and it is awesome, before that from console it would log into enable mode, but not from ssh, and the enable password would always be wrong for some reason. Until ACS is connected this is great!

camejia
Level 3
Level 3

Hello Scott,

Confirming Richard statement from AAA perspective. The ASA will not allow you to get directly into Enable Mode when returning Privilege Level 15. The feature is only implemented on IOS devices. The ASA is considered a security device and it will not put you directly on Enable Mode as IOS does.

Regards.

 

 

 

ccie4297
Level 1
Level 1

This works with NPS as the RADIUS server to my ASA5545-X as well... just need to do a little policy config on the NPS side.  

aaa authentication enable console NPS_RADIUS LOCAL
aaa authentication ssh console NPS_RADIUS LOCAL
aaa authorization exec authentication-server auto-enable

 

sh ver

Cisco Adaptive Security Appliance Software Version 9.14(4)17