Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1402
Views
0
Helpful
2
Replies

ASA with SSH access and Two Factor Auth (2FA)

RyanB
Level 1
Level 1

‎04-30-2018 09:38 AM - edited ‎02-21-2020 07:41 AM

I have an ASA that speaks to a Microsoft LDAP server to authenticate users via phone calls.

It works fine, for both SSH and the ASDM.

 

However, for the ASDM, only one 2FA call is required to make configuration edits, but for SSH it seems to require two 2FA calls (one for the SSH connection, one for enable/EXEC mode). This can be rather annoying, and sometimes the 2nd call never makes it to people cell phones so it has to be attempted a 3rd time.

 

So my questions are:

 

- Can the ASA put the user directly into EXEC (enable mode)?

   (note: I have tried "aaa authorization exec ??? auto-enable" and it has not worked.

- Is there a way to only require 2FA on the SSH connection, not enable? (or visa versa - only on enable and not SSH?)

 

Current configuration:

ldap attribute-map AccessLevel
  map-name  comment Privilege-Level
  map-value comment Privilege15 15
  map-name  memberOf IETF-Radius-Service-Type
  map-value memberOf CN=Users,DC=test,DC=local 15
!
aaa-server ldapserver protocol ldap
aaa-server ldapserver (inside) host 192.168.1.100
 timeout 60
 ldap-base-dn DC=test,DC=local
 ldap-group-base-dn OU=Users,DC=test,DC=local
 ldap-scope subtree
 ldap-login-password *****
 ldap-login-dn admin@test.local
 server-type microsoft
 ldap-attribute-map AccessLevel
 group-search-timeout 30
!
aaa authentication http console ldapserver LOCAL
aaa authentication enable console ldapserver LOCAL
aaa authentication ssh console ldapserver LOCAL
aaa authorization command LOCAL
Labels:
0 Helpful
2 Replies 2

Marius Gunnerud
VIP
VIP

‎05-01-2018 05:47 AM

This is a security feature of the ASA and can not be changed.  To log into the CLI privileged exec mode you must enter the enable password.

certain terminal emulators allow for macros so you might be able to use one of these and have a macro that enters the enable password for you.  Keep in mind that security wise this is not a good practice and should be avoided.

--
Please remember to select a correct answer and rate helpful posts
0 Helpful

RyanB
Level 1
Level 1
In response to Marius Gunnerud

‎05-01-2018 07:35 AM

That's actually incorrect, it is possible.

 

Untitled.png

 

The issue im having is that I cannot figure out how to do it using an authentication server.

 

The above was accomplished by using:

aaa authorization exec LOCAL auto-enable

 

I would like to be able to use:

aaa authorization exec authentication-server auto-enable

 

I suspect it may have something to do with LDAP attributes, but im not sure.

 

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card