Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
Bookmark
|
Subscribe
|
3297
Views
0
Helpful
5
Replies

AAA authentication for Serial Console.

Alfredcfc
Level 1
Level 1

‎03-09-2020 07:38 AM

Currently I am not using aaa authentication to login into serial console cable, would this mean when I login into to ASA via a serial cable I will bypass the AAA servers and use the local database ?.

 

Or do I have specify aaa authentication serial console LOCAL ?.

 

But then this would force the enable password to be sent to my TACACS+ server. since I have use 

aaa authenticaion enable.

 

 

 

0 Helpful
5 Replies 5

balaji.bandi
Hall of Fame
Hall of Fame

‎03-09-2020 07:50 AM - edited ‎03-09-2020 07:51 AM

yes you need to add enable and authentication for serial to be local example :

 

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

 

note : make sure you test with Local username and password before you write the config. or you should have alterbative method to login to box to remidate the issue.

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful

Alfredcfc
Level 1
Level 1
In response to balaji.bandi

‎03-09-2020 09:36 AM

The current configurations is like  this :

 

aaa authentications ssh console My_tacacs+ LOCAL

aaa authentication http console  My_tacacs+ LOCAL

aaa authentication enable console My_tacacs+ LOCAL

 

Also I my doing accounting and authorization via tacacs+.

 

 

If I add 

aaa authentication serial console LOCAL

I will be able to login into the serial cable using local credentials BUT I won't be able to enter the enable password since it will be sent to TACACS+ server and it will fail.

 

Could you please let me know if I can bypass sending enable passwords  ? for serial login alone so that both the login and exec login password are validated since only the local database credentials.

0 Helpful

Sheraz.Salim
VIP Alumni
VIP Alumni
In response to Alfredcfc

‎03-09-2020 10:33 AM

your answer is here in this post.

please do not forget to rate.
0 Helpful

Alfredcfc
Level 1
Level 1
In response to Sheraz.Salim

‎03-16-2020 12:58 AM

HI Sheraz,

 

 I read through the answer you have posted but that answer is for a router so can please let me know if you can help me in this problem for an ASA firewall.

0 Helpful

Cristian Matei
VIP Alumni
VIP Alumni
In response to Alfredcfc

‎03-16-2020 04:31 AM

Hi,

 

   Can you try the following:

        - have a username locally configured with privilege level 15

        - configure "aaa authentication enable console My_tacacs+ LOCAL and "aaa authorization exec LOCAL auto-enable"

 

See if you can authenticate on the console as requested, afterwards also test the remote SSH/telnet functionality.

 

Regards,

Cristian Matei.

0 Helpful
Review Cisco Networking for a $25 gift card
Top