cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2878
Views
0
Helpful
2
Replies

aaa authentication serial console

johnlloyd_13
Level 9
Level 9

hi

i'm trying to figure out what's wrong with my AAA config.

when I SSH/telnet to the ASA using my TACACS+ account is fine.

but i can't seem to login on our OBM server when I use the same TACACS+ account and also tried the enable password on the ASA.

appreciate anyone advise.

 

NORMAL REMOTE ACSESS:

 

User Access Verification

Username: John
Password: ********
Type help or '?' for a list of available commands.
ciscoasa/admin> en
Password: ********

ciscoasa/admin# sh run  | i aaa
aaa-server TACACS protocol tacacs+
aaa-server TACACS (inside) host 172.27.1.1
aaa authentication ssh console TACACS LOCAL
aaa authentication http console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authentication serial console TACACS LOCAL

aaa authorization command TACACS LOCAL
aaa authorization exec authentication-server

 

 

OBM/jump server:

 

Console session started.  Press ~[ENTER] to exit.


Username: John
Password: ********
Type help or '?' for a list of available commands.
ciscoasa> en
Password: ********    <<< USED TACACS+ PW
Invalid password
Password: ********    <<< USED THE ASA CONFIGURED enable password
Invalid password
Password: ******
Invalid password
Access denied.

2 Replies 2

Maykol Rojas
Cisco Employee
Cisco Employee

If you use the "Login" command under the user mode

ciscoasa>login

And then use your credentials, does it work? 

The serial, only authenticates to the console port, but not the exec mode, for that you will need to have authorization configured (as far as I remember, anyone else, please feel free to jump in). 

 

With version 9.2, you can use the auto-enable option: 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a1.html#pgfId-1595724

Mike. 

 

 

 

Mike

hi,

login doesn't work.

what authorization line should i add?

it only gives me the option to add LOCAL and authentication-server (which i already have).

ASA code is 8.3(2).

 

Console session started.  Press ~[ENTER] to exit.


Username: John
Password: ********
Type help or '?' for a list of available commands.
ciscoasa> login
Username: John
Password: ********
%Login failed

 

ciscoasa/admin(config)# aaa authorization exec ?

configure mode commands/options:
  LOCAL                  Use authorization attributes of corresponding local
                         user
  authentication-server  Use authenticating servers

 

Review Cisco Networking for a $25 gift card