Solved: ASA 5525X AAA login to EXEC mode through ISE

jkuehl · ‎12-09-2015

I am using ISE 2.0 and have created a Policy to login to our ASA 5525X running ver 9.5.2 using SSH.

I can login into the ASA to user exec mode, then use enable and type on my password again to get into priv exec mode.

I would like to type in one username and password to get into priv exec mode directly.

This is what I have on our ASA

aaa-server vpnISE protocol radius
authorize-only
dynamic-authorization
aaa-server vpnISE (inside) host IP ADDRESS
key *****

aaa-server vpnISE protocol radius
aaa-server vpnISE (inside) host IP ADDRESS
aaa authentication serial console LOCAL
aaa authentication ssh console vpnISE LOCAL
aaa authentication http console LOCAL
aaa authentication enable console vpnISE LOCAL

aaa authorization exec authentication-server auto-enable

I have a Authorization Profile

ASA_Access

Access Type = ACCESS_ACCEPT
cisco-av-pair = shell:priv-lvl=15

The authentication policy is PAP_ASCII for AD and Local

The authorization policy:

nas-port-type: Virtual

network access protocol: Radius

When i attempt to login with this setup it says that password authentication failed. When i check the Logs i am seeing that i my authentication succeeded.

Am I need to change my attributes to something else to make this work.

nspasov · ‎12-16-2015

Two questions:

1. Have you confirmed that the appropriate rule is now being hit in ISE

2. Are you sending back the correct RADIUS attribute? For ASAs you need to return back:

Radius:Service-Type = Administrative

Thank you for rating helpful posts!

View solution in original post

nspasov · ‎12-15-2015

I have this working fine with my 5506 and ISE. The configs look correct too. When do you get the "password authentication failed" ? Also, can you post some debugs from radius and aaa

Thank you for rating helpful posts!

jkuehl · ‎12-16-2015

when i try and log in the Policy that is being hit is my VPN policy.

This is new after i have completely redone my VPN connection with ISE.

I am working on trying to sort out the Authorization rule now to separate the two.

jkuehl · ‎12-16-2015

After moving the Auth rule higher i am able to get the following from debug.

Dec 16 2015 10:52:21 10.10.200.254 : %ASA-6-113004: AAA user authentication Successful : server = 10.10.20.56 : user = jasonkuehl
Dec 16 2015 10:52:21 10.10.200.254 : %ASA-6-113008: AAA transaction status ACCEPT : user = jasonkuehl
Dec 16 2015 10:52:21 10.10.200.254 : %ASA-3-113021: Attempted console login failed user 'jasonkuehl' did NOT have appropriate Admin Rights.
Dec 16 2015 10:52:21 10.10.200.254 : %ASA-6-611102: User authentication failed: IP address: 10.70.24.55, Uname: *****

nspasov · ‎12-16-2015

Two questions:

1. Have you confirmed that the appropriate rule is now being hit in ISE

2. Are you sending back the correct RADIUS attribute? For ASAs you need to return back:

Radius:Service-Type = Administrative

Thank you for rating helpful posts!

jkuehl · ‎12-17-2015

I was not use that Radius attribute. I was still using cisco-av-pair = shell:priv-lvl=15.

I have changed to this attribute and everything is working correctly.

bern81 · ‎03-07-2019

Hi Nspasov,

I have the same issue when accessing ASA as admin, i always have to type the enable password to go to exec-mode #
But looking to jkuel config i see he is using Radius and not TACACs for admin access.
Can you please advise how to fix this using TACACS?