Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
974
Views
0
Helpful
5
Replies

Authentication ASA/PIX Telnet/SSH access using ACS

alecchris
Level 1
Level 1

‎06-28-2011 10:16 AM - edited ‎03-10-2019 06:11 PM

I am trying to get our ACS to authenticate login sessions to our PIX and ASA devices. Can anyone provide a sample configuration that will push all access to these devices to the ACS for TACACS? THE ACS has been configured and is ready for authentication based on username credentials; it is just the configuration on the firewall I am having problems with.

Thanks in advance for any help :- )

Labels:
0 Helpful
5 Replies 5

roshan.maskey
Level 1
Level 1

‎06-29-2011 11:14 PM

Assuming following

ACS-SERVER-IP=172.16.10.25

ACS-SERVER-NAME: TLS-ACS5

ACS-ASA shared secret: mysecret

user-in-acs: myfirewall

password: myasa

Run this command in ASA

aaa-server TLS-ACS5 protocol tacacs+

aaa-server TLS-ACS5 (inside) host 172.16.10.25

key mysecret

aaa authentication ssh console TLS-ACS5 LOCAL

aaa authentication telnet console TLS-ACS5 LOCAL

Test Authentication

test aaa authentication TLS-ACS5 host 172.16.10.25 username myfirewall password myasa

Test result should come OK

0 Helpful

alecchris
Level 1
Level 1
In response to roshan.maskey

‎07-19-2011 07:59 AM

Hi thanks for that.

I have tested this on a PIX and everything worked!

0 Helpful

alecchris
Level 1
Level 1
In response to roshan.maskey

‎08-02-2011 09:14 AM

Hi Roshan,

Can you advise how I might go about authenticating access to exec-privialge on the FW against the ACS?  I cannot find any any configuration examples.

0 Helpful

alecchris
Level 1
Level 1
In response to alecchris

‎08-03-2011 03:15 AM

Hi,

After having another look at this this morning the command "aaa authentication enable console TLS-ACS5 LOCAL" can be used to authenticate the users exec-priv password against TACACS+.

:-)

0 Helpful

alecchris
Level 1
Level 1
In response to alecchris

‎08-08-2011 05:13 AM

On testing the above even further, I seem to have an issue...

With the following configuration loaded...

aaa-server TLS-ACS5 protocol tacacs+

aaa-server TLS-ACS5 (inside) host 10.0.20.200

key passme123

aaa authentication ssh console TLS-ACS5 LOCAL

aaa authentication telnet console TLS-ACS5 LOCAL

aaa authentication ssh console TLS-ACS5 LOCAL

aaa authentication telnet console TLS-ACS5 LOCAL

aaa authentication enable console TLS-ACS5 LOCAL

With the PIX in communication with the ACS the above works well, with me successfully logging in with credentials added to the ACS.

On testing this further I have taken the link down between the PIX and the ACS (to recreate a failure scenario).  I can still login using the internal (LOCAL) username & password.  This seems to work fine, however if I try to access the exec-privilege mode (i.e. enable) the PIX does not except the enable password added to the configuration moreover it prefers the same password used for creating the initial user.

username admin-user password adminpass123 encrypted

enable password enablepass123 encrypted

For example; with the above lines in the running configuration of the PIX , I can login into PIX using admin-user and enter the password adminpass123. However, if I try and then go onto access exec-privilege mode (i.e. enable) the PIX does not except the password "enablepass123" put does except "adminpass123"... this is even with "aaa authentication enable console TLS-ACS5 LOCAL" added to the running configuration.

Has anyone else seen this issue on a PIX/FW. Am I missing something from my configuration? Does anyone know of a workaround to this issue or is it just something I have to live with?

0 Helpful
Customers Also Viewed These Support Documents