03-25-2010 03:10 AM - edited 03-11-2019 10:25 AM
Hi,
I am using FWSM 4.1(1) with ASDM 6.2(1)F. I use ASDM to configure the FWSM with TACACS authentication, authorization and accounting. And I have enabled the TACACS authentication for "Enable", "Telnet", "HTTP/ASDM"... Everthing is fine when I use ASDM to login the "admin" context. But when I try to session into the FWSM from switch, I can't login with the same username and password I used to login with ASDM. Can anyone tell me what is the problem? Thanks
03-25-2010 03:40 AM
Do you have "aaa authentication telnet console
03-25-2010 09:01 AM
I think problem could be
>> for ASDM you might have enable https access in AAA but might not allowed for session from switch. May be switch IP not allowed or telenet / ssh disallowed to FWSM.
>> If you add switch IP or SSH / telnet you should be in position to use the same username and password from switch
03-25-2010 11:32 PM
I am now able to switch to the FWSM using "session slot no. pro 1" command. Once I login using the TACACs username and password, I got the ">" prompt only. I need the enable password to get into the enable prompt. After that, when I change context to "admin", error "Command authorization failed" for any commands I issued. Pls advise
03-25-2010 11:35 PM
Looks like the ACS is configured with command authorization, and it is not allowing the commands that you type in.
You might want to check on the ACS server itself on what command is allowed.
03-26-2010 01:10 AM
AAA authorization has been enabled for ASDM/HTTP also. And I have no problem when clicking any button in ASDM. So it seems the command authorization for ASDM is ok. But why I got command issue in CLI?
03-26-2010 03:01 AM
1...Hope you have enable password and then got the privilege mode...
2...It might possible that the previlege level for the username password you are giving having limited privileges...
3... If you check the the AAA database for the username / password and privilege level should solve u r problem
03-29-2010 01:43 AM
I just wonder why I need to enter the enable password after entering "username" and "password". As my user account got privilege level 15 already. Also, when I try to SSH into the admin context. I got ">" prompt after entering username and password. After that, I try to change to enable mode. The password is always not correct and the "enable" action failed (but i am pretty sure the password I type in is the same the enable password configured)
03-29-2010 02:07 AM
With FWSM, after you are authenticated and in user prompt, to access the enable mode, you would need to type in "login" instead of "enable". It will prompt you to type in your TACACS username and password, and place you in enable mode as per your TACACS privileges.
Here is the URL for your reference:
http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/mgacc_f.html#wp1072206
03-29-2010 04:16 AM
It's funny but required enable password when accessing through CLI whereas it works fine with ASDM. You may reset enable password using ASDM and then try from CLI... it will definately work..
With regards,
Shailesh
08-28-2013 12:00 PM
I had the same problem and was solved by restarting the fwsm slot with the command: hw-module module slot N° reset
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide