Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1025
Views
0
Helpful
4
Replies

TACACS config for PIX & ASA

Anand Narayana
Level 6
Level 6

‎02-25-2008 02:50 AM - edited ‎03-10-2019 03:40 PM

I am struggling in configuring the TACACS configure to allow authentication via Cisco ACS, I could able to configure for switches 2950,3750 but not with ASA & PIX, can any let me know the configs?

Labels:
0 Helpful
4 Replies 4

Collin Clark
VIP Alumni
VIP Alumni

‎02-25-2008 03:45 AM

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ host [ACS IP Address]

key SeReTpAsSwOrD

aaa-server RADIUS protocol radius

aaa authentication ssh console TACACS+ LOCAL

aaa authentication http console TACACS+

aaa authentication serial console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+ LOCAL

This also includes using ACS for enable mode. Remove the following line to allow local password for enable mode.

aaa authentication enable console TACACS+ LOCAL

HTH

0 Helpful

Anand Narayana
Level 6
Level 6
In response to Collin Clark

‎02-25-2008 04:03 AM

Thanks for the reply, will have a down time & will let you know the result :-)

0 Helpful

Anand Narayana
Level 6
Level 6
In response to Anand Narayana

‎02-25-2008 10:21 PM

I am actually looking for a similar command which I used on the Cisco 2950/3750

aaa new-model

aaa authentication login default group tacacs+ enable local

aaa authentication enable default group tacacs+ enable

aaa authorization exec default group tacacs+ if-authenticated

aaa authorization commands 1 default group tacacs+ if-authenticated

aaa authorization commands 15 default group tacacs+ if-authenticated

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

with this commands I could able to track the command what all the user has used, logs with the user name which I configured on TACACS, the command which you have sent me I could able to login with the TACACS user name "aaa-server TACACS+ host " but it is not accounting all the details like login & logout time, command what the user has issued etc..

0 Helpful

Collin Clark
VIP Alumni
VIP Alumni
In response to Anand Narayana

‎02-26-2008 06:32 AM

With the PIX/ASA it's a little goofy. The command is

aaa authentication enable console TACACS+ LOCAL

This command also sets the enable mode password to ACS. You need to make sure you have some sort of auth for enable mode in ACS. You will then have accounting with the username instead of priv_15.

HTH

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents