TACACS config for PIX & ASA

Unanswered Question
Feb 25th, 2008
User Badges:
  • Silver, 250 points or more

I am struggling in configuring the TACACS configure to allow authentication via Cisco ACS, I could able to configure for switches 2950,3750 but not with ASA & PIX, can any let me know the configs?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Mon, 02/25/2008 - 03:45
User Badges:
  • Purple, 4500 points or more

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ host [ACS IP Address]

key SeReTpAsSwOrD

aaa-server RADIUS protocol radius

aaa authentication ssh console TACACS+ LOCAL

aaa authentication http console TACACS+

aaa authentication serial console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+ LOCAL


This also includes using ACS for enable mode. Remove the following line to allow local password for enable mode.


aaa authentication enable console TACACS+ LOCAL


HTH


Anand Narayana Mon, 02/25/2008 - 04:03
User Badges:
  • Silver, 250 points or more

Thanks for the reply, will have a down time & will let you know the result :-)

Anand Narayana Mon, 02/25/2008 - 22:21
User Badges:
  • Silver, 250 points or more

I am actually looking for a similar command which I used on the Cisco 2950/3750


aaa new-model

aaa authentication login default group tacacs+ enable local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+


with this commands I could able to track the command what all the user has used, logs with the user name which I configured on TACACS, the command which you have sent me I could able to login with the TACACS user name "aaa-server TACACS+ host " but it is not accounting all the details like login & logout time, command what the user has issued etc..


Collin Clark Tue, 02/26/2008 - 06:32
User Badges:
  • Purple, 4500 points or more

With the PIX/ASA it's a little goofy. The command is


aaa authentication enable console TACACS+ LOCAL


This command also sets the enable mode password to ACS. You need to make sure you have some sort of auth for enable mode in ACS. You will then have accounting with the username instead of priv_15.


HTH

Actions

This Discussion