01-06-2014 08:26 AM - edited 03-11-2019 08:25 PM
Hi,
I am configuring the ASA 8.4 with TACACS with below CLI configurations, I can only successfully login to the USER MODE of the ASA via TACACS, but unable to get to the enable mode of the ASA via TACACS. Also ASA is not falling to local enable password either.
Also I can successfully run the "test aaa authentication TACACS+ username abc password password1"
INFO: Authentication Successful
From same ACS TACACS works for both user mode and enable mode for routers/ switches.
Current ASA CLI
~~~~~~~~~~~~~
username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15
enable password [ENTER ENABLE MODE PASSWORD HERE]
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host [ENTER TACACS+ SERVER IP ADDRESS HERE] [ENTER SECRET KEY HERE] timeout 10
aaa authentication http console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting enable console TACACS+
aaa accounting ssh console TACACS+
Solved! Go to Solution.
01-06-2014 05:04 PM
HeyRizwan,
What ACS version are you running??
Make sure you defined the username with a static privilege level of 15 otherwise it will not be able to pass the enable authentication.
If ACS 5.x or higher go to the policy elements: Shell Profile and make sure you have one assigned for a static maximum privilege of 15 and most important that its applied into a access-policy rule
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-10-2014 08:52 AM
Hello,
Glad to know that I could help (Remember to mark the question as answered as that was the main topic of this ticket)
Now, moving to the new issue.
aaa authentication enable console TACACS+ LOCAL
This basically tells the ASA use the local usermane and password database not the enable password.
If you want to authenticate using the locally configured enabled password just remove
aaa authentication enable console TACACS+ LOCAL
And you will be always authenticating using the locally configured password.
This is different than from an IOS device that provides the option to use the enable database on the router itself when authenticating~
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-06-2014 02:15 PM
What does the CLI return after you enter the password foe enable mode? What does it say in logs on the TACACS server?
01-06-2014 05:04 PM
HeyRizwan,
What ACS version are you running??
Make sure you defined the username with a static privilege level of 15 otherwise it will not be able to pass the enable authentication.
If ACS 5.x or higher go to the policy elements: Shell Profile and make sure you have one assigned for a static maximum privilege of 15 and most important that its applied into a access-policy rule
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
01-10-2014 08:36 AM
Hi,
Thanks for assistance. Issue of login to enable-mode via tacacs+ credential is resolved as per your advice as I have found that as soon I configure ACS User Setup-> Advanced TACACS+ Settings-> Max Privilege for any AAA Client->15 instead of “Use Group Level Setting”(which is privilege 15 anyway) then I can login to the firewall enable-mode via tacacs+, successfully.
Now problem is that if I turn off the ACS, then I can successfully login to the firewall user-mode via fallback local-credentials of below username/ password, but I can only login to the enable-mode via password:user123, I am unable to login to the enable-mode via enable-password i.e password2
Configurations:
username user1 password user123 privilege 15
enable password password2
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host 10.10.10.10
key abc123
aaa authentication http console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting enable console TACACS+
aaa accounting ssh console TACACS+
Problem:
Test-ASA> en
Password: password2
Password:
Password: user123
Test-ASA#
01-10-2014 08:52 AM
Hello,
Glad to know that I could help (Remember to mark the question as answered as that was the main topic of this ticket)
Now, moving to the new issue.
aaa authentication enable console TACACS+ LOCAL
This basically tells the ASA use the local usermane and password database not the enable password.
If you want to authenticate using the locally configured enabled password just remove
aaa authentication enable console TACACS+ LOCAL
And you will be always authenticating using the locally configured password.
This is different than from an IOS device that provides the option to use the enable database on the router itself when authenticating~
Looking for some Networking Assistance?
Contact me directly at jcarvaja@laguiadelnetworking.com
I will fix your problem ASAP.
Cheers,
Julio Carvajal Segura
http://laguiadelnetworking.com
02-05-2014 06:33 AM
Hi,
I thought I keep the Discussion in same page as it’s very much related to it.
Please advise that timers I have added below are in Cisco best practices or not. Also what the function of below commands, do you recommend me to add it or not.
aaa-server TACACS+ protocol tacacs+
reactivation-mode timed
~~~~~~~~~~~Please advise timers in below aaa commands~~~~~~~~~~~~~~~~~~~~
username user1 password user123 privilege 15
enable password password2
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ max-failed-attempts 3
aaa-server TACACS+ deadtime 10
aaa-server TACACS+ (inside) host 10.10.10.10
timeout 6
key abc123
aaa-server TACACS+ (inside) host 10.10.20.10
timeout 6
key abc123
aaa authentication http console TACACS+ LOCAL
aaa authentication ssh console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authorization command TACACS+ LOCAL
aaa accounting enable console TACACS+
aaa accounting ssh console TACACS+
11-17-2016 06:34 AM
Hello Rizwan,
thanks for the post,
ACS User Setup-> Advanced TACACS+ Settings-> Max Privilege for any AAA Client->15
Regards,
Sreeharsha
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide