Re: TACACS+ configuration for Cisco ASA

siva_mps · ‎01-21-2009

I tired configuring TACACS+ configuration for ASA but unable to complete it. I have ACS 3.3 for all other Cisco Routers and Switches

francisco_1 · ‎01-21-2009

see this http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00807349e7.shtml#configure-server

Tshi M · ‎01-22-2009

Please see below:

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ host x.x.x.x

key test

aaa authentication ssh console TACACS+

aaa authentication enable console TACACS+

aaa authentication http console TACACS+

dphills18 · ‎01-28-2009

Is there some type of access list that needs to be inserted or something. I can't get this to work. It should be that difficult. I keep getting "Password authentication failed."

Richard Burts · ‎01-28-2009

Dwayne

There is not an access list that is required to authenticate from the ASA. Perhaps we could find your problem if you would post your configuration.

HTH

Rick

HTH

Rick

dphills18 · ‎01-28-2009

Hey Rick, thanks. I finally figured out what was going on. We use RSA tokens for authentication. It would allow me to log into the ASA, however, when I would try to log into the enable mode, I would have complications.

What I learned as that I needed to wait for the key on the RSA token to change to the next code and use that. The ASA will not let me use the same code to log into enable mode.

Does anyone know if this feature can be bypassed to where I can use the same token key code for both prompts?

Dwayne

Richard Burts · ‎01-28-2009

Dwayne

I am glad that you have figured out what the issue is. I believe that it is a fundamental concept of RSA tokens that you can only use a token once. Any attempt to authenticate a second time with the same token will be rejected.

So authenticate once (with the first token) and then wait till the new token is generated before you attempt to authenticate to enable mode.

HTH

Rick

HTH

Rick

ysantizo1 · ‎05-09-2017

Hi Everyone

Does anyone know why the tacacts key appears in plain text?

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ host x.x.x.x

key "test"<---------------------

Is it possible to hide it?

I'm using asa 8.0(4)

Thanks in advance.

Best regards

Daniel Laden · ‎02-01-2009

Unlike a router or switch, you cannot go straight to enable mode on an ASA. You will need to authenticate twice.

oscarpirez · ‎03-18-2009

Hello,

do you know if there is any cisco official document where clarify this point?

I need the document to show my customer that it is not possible at the moment.

Thanks and regards,

Oscar Pirez

opirez@satec.es

Jagdeep Gambhir · ‎03-18-2009

Oscar,

If you want to know about logging to enable mode directly then here is the link,

http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K25224726

Regards,

~JG

Do rate helpful posts

oscarpirez · ‎03-18-2009

Hello Jagdeep,

thank you very much for the info.

Regards,

Oscar

oscarpirez · ‎03-18-2009

Sorry,

is this valid for ASA 8.0 as well?

regards,

Oscar

Jagdeep Gambhir · ‎03-18-2009

Yes.

Regards,

~JG

Do rate helpful posts

leo_zidane · ‎03-24-2009

Hi all,

I am unable to login into ASA ADSM through RSA tokens but SSH can. What setting do i miss out?

Thanks