03-02-2009 04:06 PM - edited 03-11-2019 07:59 AM
We have a FWSM in a Cat6500(12.2(33)SXI). We use AAA tacacs with local failover for ssh access to both the FWSM admin context and the switch. Works great. However when trying to session to the FWSM from the switch it only seems to allow 1st level access using my tacacs credentials. It only accepts either the local admin context enable password or the password associated with a local privilege level 15 user(admin context) for enable access. Is there some way to configure enable access to also use my tacacs credentials? If possible, local authentication for failover would be preferred.
thanks.
P
03-02-2009 08:36 PM
aaa authentication enable console <
03-03-2009 08:36 AM
If you are talking about the fwsm, we already have the following statement configured in the admin context:
aaa authentication enable console tac_servers LOCAL
Its like its not using aaa for enable after the session login, as I'm not getting a prompt for username, only password.
thanks
P.
03-05-2009 12:10 AM
did you try debugging aaa and see what exactly is happening when you are sessioning into FWSM.
03-05-2009 08:25 AM
output from show debug on fwsm sys context doing a session command from switch:
Processing challenge for user xxxxxx, session id: 2147483691, challenge: Password:
Mar 05 2009 06:07:53: %FWSM-6-605005: Login permitted from 127.0.0.51/34817 to eobc:127.0.0.91/telnet for user "xxxxxx"
enabling in same session using local level 15 password:
Mar 05 2009 06:09:36: %FWSM-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15
thanks,
P
03-06-2009 02:53 AM
FWSM 3.2 Configuration Guide
"In multiple context mode, you cannot configure any AAA commands in the system configuration. However, if you configure Telnet authentication in the admin context, then authentication also applies to sessions from the switch to the FWSM (which enters the system execution space). The admin context AAA server or local user database are used in this instance"
but not quite sure if this is the case with "enable" authentication, atleast from what you have experienced , looks like enable password set under the system context is being used.
03-06-2009 08:37 AM
Agree on the aaa commands in the system config. In the admin context config we have the following aaa commands:
aaa authentication telnet console tac_servers LOCAL
aaa authentication enable console tac_servers LOCAL
Just doesn't seem to work with enable.
thanks,
P
03-06-2009 08:41 AM
That confirms that enable authentication for system context is done based on enable password and not the tacacs+.
But I am going to check and let you know.
03-06-2009 08:42 AM
BTW, what code are you running on FWSM ??
03-06-2009 09:04 AM
3.2(4) looking to upgrade to 4 in the next month or so.
03-06-2009 09:05 AM
thanks much
P
12-14-2009 06:21 PM
I'm wondering if anyone has found an answer to this. I have the exact same problem where authentication is working to the FWSM but when I try to go into enable mode it uses the password that is configured via the enable secret command and not what is in the ACS server. I tried using the "aaa authentication enable console {LOCAL | server_group [LOCAL]}" but it doesn't seem to work.
Any thoughts?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide