08-26-2015 07:41 AM - edited 03-11-2019 11:30 PM
hi
i'm trying to figure out what's wrong with my AAA config.
when I SSH/telnet to the ASA using my TACACS+ account is fine.
but i can't seem to login on our OBM server when I use the same TACACS+ account and also tried the enable password on the ASA.
appreciate anyone advise.
NORMAL REMOTE ACSESS:
User Access Verification
Username: John
Password: ********
Type help or '?' for a list of available commands.
ciscoasa/admin> en
Password: ********
ciscoasa/admin# sh run | i aaa
aaa-server TACACS protocol tacacs+
aaa-server TACACS (inside) host 172.27.1.1
aaa authentication ssh console TACACS LOCAL
aaa authentication http console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authentication serial console TACACS LOCAL
aaa authorization command TACACS LOCAL
aaa authorization exec authentication-server
OBM/jump server:
Console session started. Press ~[ENTER] to exit.
Username: John
Password: ********
Type help or '?' for a list of available commands.
ciscoasa> en
Password: ******** <<< USED TACACS+ PW
Invalid password
Password: ******** <<< USED THE ASA CONFIGURED enable password
Invalid password
Password: ******
Invalid password
Access denied.
08-26-2015 11:46 AM
If you use the "Login" command under the user mode
ciscoasa>login
And then use your credentials, does it work?
The serial, only authenticates to the console port, but not the exec mode, for that you will need to have authorization configured (as far as I remember, anyone else, please feel free to jump in).
With version 9.2, you can use the auto-enable option:
http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a1.html#pgfId-1595724
Mike.
08-26-2015 06:09 PM
hi,
login doesn't work.
what authorization line should i add?
it only gives me the option to add LOCAL and authentication-server (which i already have).
ASA code is 8.3(2).
Console session started. Press ~[ENTER] to exit.
Username: John
Password: ********
Type help or '?' for a list of available commands.
ciscoasa> login
Username: John
Password: ********
%Login failed
ciscoasa/admin(config)# aaa authorization exec ?
configure mode commands/options:
LOCAL Use authorization attributes of corresponding local
user
authentication-server Use authenticating servers
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide