ASA command Authorization

Unanswered Question
Mar 30th, 2008

Hi, does anyone have some experiance with the ASA and command authorization using a TACACS+ server?

I'm using Cisco ACS 3.3 and ASA5505 with software verson 8.03.

Login authentication for telnet or ssh using tacacs+ works without problems but enable mode authentication doesn't seem te work. When turning on enable mode authentication the user should receive a username and password prompt after typing "enable" on the console but this doesn't happen. I only receive a password prompt and whatever password I use (enable password, user password) it doesn't allow me to go into priviledge mode.

When I turn of enable mode authentication then I can login into another priviledge mode level using the ASA local passwords defined for these respective enable mode levels. Command authorization then seems to work (the login into the privilege mode was done locally but the command authorization still is handled by the ACS server...) but at that point I have lost my original username. Instead of using the original user name it now uses the username "enable_x" were x is the enable mode level used during the login. Well, this is more or less expected behaviour as this is a side effect when enable mode authentication is turned off. But turning it back on doesn't allow me to login into any priviledged mode. I have allowed the enable command within the user Shell Command Authorization set on the ACS server. The log of the ACS server doesn't tell me much either: External DB account Restriction error or CS password invalid error. This seems to be a know cosmetic bug in ACS 3.3.

asa version 8 provides a new command "aaa authorization exec authentication-server" but that doesn't change anything.

The configuration is as follows:

enable password <removed> level 5 encrypted

enable password <removed> encrypted

aaa-server TACACS protocol tacacs+

aaa-server TACACS (inside) host 192.168.1.25

key secretkey

aaa authentication serial console LOCAL

aaa authentication ssh console TACACS LOCAL

aaa authentication telnet console TACACS LOCAL

aaa authentication http console LOCAL

aaa authorization command TACACS

aaa authentication enable console TACACS

Any idea's?

Thanks in advance,

Rico.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
rdelhaes Mon, 03/31/2008 - 00:27

I found the issue. It turnes out that I need to set the privilege level for all users to level 15 on the ACS server instead of assigning different privilege levels to these users.

Thanks anyway.

Regards, Rico.

Actions

This Discussion