TACACS config for PIX & ASA

Unanswered Question
Feb 25th, 2008

I am struggling in configuring the TACACS configure to allow authentication via Cisco ACS, I could able to configure for switches 2950,3750 but not with ASA & PIX, can any let me know the configs?

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Mon, 02/25/2008 - 03:45

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ host [ACS IP Address]

key SeReTpAsSwOrD

aaa-server RADIUS protocol radius

aaa authentication ssh console TACACS+ LOCAL

aaa authentication http console TACACS+

aaa authentication serial console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+ LOCAL

This also includes using ACS for enable mode. Remove the following line to allow local password for enable mode.

aaa authentication enable console TACACS+ LOCAL

HTH

Anand Narayana Mon, 02/25/2008 - 22:21

I am actually looking for a similar command which I used on the Cisco 2950/3750

aaa new-model

aaa authentication login default group tacacs+ enable local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

with this commands I could able to track the command what all the user has used, logs with the user name which I configured on TACACS, the command which you have sent me I could able to login with the TACACS user name "aaa-server TACACS+ host " but it is not accounting all the details like login & logout time, command what the user has issued etc..

Collin Clark Tue, 02/26/2008 - 06:32

With the PIX/ASA it's a little goofy. The command is

aaa authentication enable console TACACS+ LOCAL

This command also sets the enable mode password to ACS. You need to make sure you have some sort of auth for enable mode in ACS. You will then have accounting with the username instead of priv_15.

HTH

Actions

This Discussion