04-01-2020 06:12 PM
Do we need to enable aaa for serial login?.
Currently I have not enabled and it's blank, when I queried the cisco tac whether not having a aaa config for serial cable while having it for others such sab and ht woud work he said.
He said when I connect serial cable to the asa nothing will prompted no username no passowrd no enable password.
Is this correct ?.
We are going for an upgrade I don't want to lockout the asa firewall in the middle of an upgrade,
the current config looks something like this
#aaa ssh console Tacacs+ local
#aaa http console Tacacs+ local
#aaa authorization Tacacas+ local
#aaa authorization enable auth-sever local
#aaa accounting Tacacs+
04-01-2020 10:47 PM
Hi,
Are you doing the upgrade from the console or remote via SSH for example? Post the complete aaa config from the ASA, one missing command or wrongly presented by you, and you could get wrong instructions. For example, there is no "aaaa authorisation enable".
Regards,
Cristian Matei.
04-04-2020 07:30 AM
04-04-2020 09:21 AM
Hi,
If you have that configuration and remotely login to the ASA to perform the upgrade, you will only loose access to the ASA as a part of the restart process; when it comes back online, you'll be able to login again. Ensure to use the "verify /md5" and "verify /sha512" to ensure the new image is not corrupted.
Regards,
Cristian Matei.
04-04-2020 07:33 PM
To cover all bases what if the ASA loses all it's connection and we have to login via the serial console physically.
Would this config work?
04-04-2020 11:31 PM
04-05-2020 01:10 AM
hi Saxena,
Thanks for the info,
For my understanding what will happen when i connect to the serial port since I have not enabled any aaa for the serial port, I wouldn't be prompt for any the login username, password and enable password?
04-05-2020 02:05 AM - edited 04-05-2020 02:09 AM
earlier in post you mentioned your config
aaa authentication enable console TACACS+ LOCAL This basically tells the ASA use the local usermane and password database not the enable password. If you want to authenticate using the locally configured enabled password just remove aaa authentication enable console TACACS+ LOCAL
now if this below config still exist on production which going to upgrade. in that case you will
aaa authentication enable console TACACS LOCAL aaa authentication http console TACACS LOCAL aaa authentication ssh console TACACS LOCAL aaa authorization command TACACS LOCAL aaa accounting enable console TACACS aaa accounting ssh console TACACS
aaa authentication serial console LOCAL ISE
than local user authentication come in place.
04-05-2020 10:12 AM
Hi salim,
Thanks for your input, If I am understanding correctly you are meaning to say that the command:
aaa authentication enable console TACACS+ LOCAL
will authenticate the enable password typed by the user with TACACS+ database in the ISE server.
So for me to login in to the serial port with using the local username and password do I have to configure the below command ?.
aaa authentication serial console LOCAL.
But when i type the >enable command the password i will use will be sent to the TACACS+ server and I will not be able to login because the below command is still active.
aaa authentication enable console TACACS+ LOCAL
I don't want to remove the above command because I want all users enable pass to be authenticated by TACACS+ ISE server,
04-05-2020 03:54 AM
04-05-2020 10:15 AM
Will I be prompted for username and password ?. since I have not configured the below command for serial authentcation
aaa authentication serial console
This is my doubt I have never logged into the serial port before.
04-06-2020 12:32 AM
04-04-2020 12:20 PM
I have tested in my lab.
you should be fine.
ASA ! username admin password cisco priv 15 ! aaa-server ISE protocol tacacs+ aaa-server ISE (mgmt) host 150.1.7.212 key cisco ! aaa authentication ssh console ISE LOCAL aaa authentication enable console ISE LOCAL aaa authentication http console ISE LOCAL aaa authentication telnet console ISE LOCAL ! aaa authorization command ISE LOCAL aaa authentication secure-http-client aaa authorization exec authentication-server auto-enable aaa authorization http console ISE ! aaa accounting ssh console ISE aaa accounting serial console ISE aaa accounting enable console ISE aaa accounting command ISE aaa accounting telnet console ISE
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide