cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
2357
Views
5
Helpful
2
Replies

ASA multiple context aaa authentication enable

marko.keca
Level 1
Level 1

Hello!

We have ASA with software 7.2.4 configured for AAA on ACS v4.2.

Configuration is as follows:

aaa-server TAC protocol tacacs+

aaa-server TAC (mgmt) host 192.168.1.11

key cisco

aaa-server RAD protocol radius

key cisco

aaa-server RAD (mgmt) host 192.168.1.11

aaa authentication http console RAD LOCAL

aaa authentication serial console RAD LOCAL

aaa authentication ssh console RAD LOCAL

aaa authentication enable console TAC LOCAL

aaa authorization command TAC LOCAL

aaa accounting ssh console TAC

aaa accounting command TAC

Everything is working fine except access to privileged mode while connecting over console port. Console port authentication is working OK.

Because of multiple context, after logging in we enter System context.

After issuing "enable" command ASA accepts only configured enable secret in system context and changes user ID to enable_15, so we are unable to do user-level command authorization and accounting.

It seems that ASA in system context is not aware of any AAA configuration, and there isn't any command to configure AAA in system context.

Is there any way to configure enable authentication over AAA in system context?

Thanks in advance!

Marko

2 Replies 2

ebreniz
Level 6
Level 6

Your security appliance is possibly already configured for multiple security contexts dependent upon how you ordered it from Cisco, but if you upgrade, you might need to convert from single mode to multiple mode. This section explains the procedures to upgrade. ASDM does not support changing modes, so you need to change modes with the CLI.

When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files. The original startup configuration is not saved, so, if it differs from the running configuration, you must back it up before you proceed.

Hello!

I assume that you misunderstood my question. Our appliance is running in multiple context mode and AAA in context is configured as it should be (look configuration in first post).

Problem is, if you log into ASA over console port you can enter enable mode with user credentials only if you have users defined local in System space. In system space you can't define AAA commands.

Kind regards,

--

Marko

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: