Hi, does anyone have some experiance with the ASA and command authorization using a TACACS+ server?
I'm using Cisco ACS 3.3 and ASA5505 with software verson 8.03.
Login authentication for telnet or ssh using tacacs+ works without problems but enable mode authentication doesn't seem te work. When turning on enable mode authentication the user should receive a username and password prompt after typing "enable" on the console but this doesn't happen. I only receive a password prompt and whatever password I use (enable password, user password) it doesn't allow me to go into priviledge mode.
When I turn of enable mode authentication then I can login into another priviledge mode level using the ASA local passwords defined for these respective enable mode levels. Command authorization then seems to work (the login into the privilege mode was done locally but the command authorization still is handled by the ACS server...) but at that point I have lost my original username. Instead of using the original user name it now uses the username "enable_x" were x is the enable mode level used during the login. Well, this is more or less expected behaviour as this is a side effect when enable mode authentication is turned off. But turning it back on doesn't allow me to login into any priviledged mode. I have allowed the enable command within the user Shell Command Authorization set on the ACS server. The log of the ACS server doesn't tell me much either: External DB account Restriction error or CS password invalid error. This seems to be a know cosmetic bug in ACS 3.3.
asa version 8 provides a new command "aaa authorization exec authentication-server" but that doesn't change anything.
The configuration is as follows:
enable password <removed> level 5 encrypted
enable password <removed> encrypted
aaa-server TACACS protocol tacacs+
aaa-server TACACS (inside) host 192.168.1.25
aaa authentication serial console LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authentication telnet console TACACS LOCAL
aaa authentication http console LOCAL
aaa authorization command TACACS
aaa authentication enable console TACACS
Thanks in advance,