Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1275
Views
5
Helpful
2
Replies

tacacs for ASA 5550

Go to solution
gavin han
Level 1
Level 1

‎12-14-2010 04:53 AM - edited ‎03-10-2019 05:39 PM

Hi,

how to setup tacacs for ASA 5550 with acs4.2. i've two asa, one is active and other in standby mode. pls tell me how to set it up. i couldn't find any good docs either.

thanks.

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Vinay Sharma
Level 7
Level 7

‎12-14-2010 06:15 AM

Hi Gavin,

Here is the sample config for ASA's telnet authentication from Tacacs:

username admin password xxxxx privilege 15
aaa-server TEST protocol tacacs+
aaa-server TEST (inside) host x.x.x.x  yyy   
[x.x.x.x is the ip address of the tacacs server and is reachable from the inside interface and 
yyy is the shared secret key.]

aaa authentication telnet console TEST LOCAL   
[This will send the telnet authentication request to the tacacs server first and if it is not
reachable then use the local database of the ASA]

aaa authentication ssh console TEST LOCAL    [same as above but for ssh session]
aaa authorization exec authentication-server    
[this enables exec authorization for the telnet and ssh sessions.]

aaa authentication http console TEST LOCAL [for HTTP]

aaa accounting command TEST [This enables command accounting for all the commands entered in the telnet or ssh session.]  On the tacacs server we need to add this ASA as a tacacs client with same shared secret key yyy.

you can find some more details:-

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1042026

On ACS you need to add ASA as device under network config with tacacs protocol.

thanks,

Vinay

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Thanks & Regards

View solution in original post

2 Replies 2

Go to solution
sjhamb
Cisco Employee
Cisco Employee

‎12-14-2010 05:51 AM

Enable Tacacs+

aaa-server TACACS+ protocol tacacs+

Define Tacacs server ip with key , interface which is towards tacacs server, you can specify they key in same line or in sub cofig mode.


aaa-server TACACS+ (inside) host 192.168.1.1
key cisco123

Thats all to setup the tacacs and then aaa commands based on what you are trying to acheive.

For example to control access to console using ssh using tacacs.


aaa authentication ssh console TACACS+ LOCAL

Standby should pick up the configs from the primary by itself.

HTH,

SJ

0 Helpful

Go to solution
Vinay Sharma
Level 7
Level 7

‎12-14-2010 06:15 AM

Hi Gavin,

Here is the sample config for ASA's telnet authentication from Tacacs:

username admin password xxxxx privilege 15
aaa-server TEST protocol tacacs+
aaa-server TEST (inside) host x.x.x.x  yyy   
[x.x.x.x is the ip address of the tacacs server and is reachable from the inside interface and 
yyy is the shared secret key.]

aaa authentication telnet console TEST LOCAL   
[This will send the telnet authentication request to the tacacs server first and if it is not
reachable then use the local database of the ASA]

aaa authentication ssh console TEST LOCAL    [same as above but for ssh session]
aaa authorization exec authentication-server    
[this enables exec authorization for the telnet and ssh sessions.]

aaa authentication http console TEST LOCAL [for HTTP]

aaa accounting command TEST [This enables command accounting for all the commands entered in the telnet or ssh session.]  On the tacacs server we need to add this ASA as a tacacs client with same shared secret key yyy.

you can find some more details:-

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1042026

On ACS you need to add ASA as device under network config with tacacs protocol.

thanks,

Vinay

If  this helps you and/or answers your question please mark the question as  "answered" and/or rate it, so other users can easily find it.

Thanks & Regards
Customers Also Viewed These Support Documents