ASA and Tacacs authentication aaa

Steven Peree · ‎01-04-2013

Dear all,

Last week I installed an ASA for one of our customers with a "BASE" License.

I named an INSIDE and an OUTSIDE interface

The management is done over the Management interface.

Now we also want to enable Tacacs to authenticate when we login on the ASA.

But I'm experiencing a problem. Is it possible to authenticate aaa over the Management interface when using a "BASE" License?

I can't find how to get it to work...

Somebody experience with this, if it's possible afterall or does have some good doumentation?

Kind rgeards

Steven

Jouni Forss · ‎01-04-2013

Hi,

I don't think using an AAA server requires any licensing that any ASA wouldnt already have.

To my understanding to get the AAA working the ASA doesnt require that much configurations

Very basic configuration should be

aaa-server TACACS protocol tacacs+

aaa-server TACACS (interface) host x.x.x.x

key

aaa-server TACACS (interace) host y.y.y.y

key

aaa authentication telnet console TACACS LOCAL

aaa authentication ssh console TACACS LOCAL

aaa authentication http console TACACS LOCAL

aaa authentication serial console TACACS LOCAL

Where

TACACS = name of the server-group
tacacs+ = protocol
interface = ASA interface behind which the AAA server is located
x.x.x.x = AAA server IP
y.y.y.y = AAA server IP (secondary if its exists)
tacacs key = server secret
aaa authentication telnet/ssh/http/serial = AAA configurations for all management connection types
TACACS LOCAL = First option is to use the AAA servers and if they fail fall back to the LOCAL AAA information on the ASA itself

- Jouni