Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
708
Views
5
Helpful
1
Replies

ASA command Authorization

rdelhaes
Level 1
Level 1

‎03-30-2008 01:09 PM - edited ‎03-11-2019 05:24 AM

Hi, does anyone have some experiance with the ASA and command authorization using a TACACS+ server?

I'm using Cisco ACS 3.3 and ASA5505 with software verson 8.03.

Login authentication for telnet or ssh using tacacs+ works without problems but enable mode authentication doesn't seem te work. When turning on enable mode authentication the user should receive a username and password prompt after typing "enable" on the console but this doesn't happen. I only receive a password prompt and whatever password I use (enable password, user password) it doesn't allow me to go into priviledge mode.

When I turn of enable mode authentication then I can login into another priviledge mode level using the ASA local passwords defined for these respective enable mode levels. Command authorization then seems to work (the login into the privilege mode was done locally but the command authorization still is handled by the ACS server...) but at that point I have lost my original username. Instead of using the original user name it now uses the username "enable_x" were x is the enable mode level used during the login. Well, this is more or less expected behaviour as this is a side effect when enable mode authentication is turned off. But turning it back on doesn't allow me to login into any priviledged mode. I have allowed the enable command within the user Shell Command Authorization set on the ACS server. The log of the ACS server doesn't tell me much either: External DB account Restriction error or CS password invalid error. This seems to be a know cosmetic bug in ACS 3.3.

asa version 8 provides a new command "aaa authorization exec authentication-server" but that doesn't change anything.

The configuration is as follows:

enable password <removed> level 5 encrypted

enable password <removed> encrypted

aaa-server TACACS protocol tacacs+

aaa-server TACACS (inside) host 192.168.1.25

key secretkey

aaa authentication serial console LOCAL

aaa authentication ssh console TACACS LOCAL

aaa authentication telnet console TACACS LOCAL

aaa authentication http console LOCAL

aaa authorization command TACACS

aaa authentication enable console TACACS

Any idea's?

Thanks in advance,

Rico.

Labels:
0 Helpful
1 Reply 1

rdelhaes
Level 1
Level 1

‎03-31-2008 12:27 AM

I found the issue. It turnes out that I need to set the privilege level for all users to level 15 on the ACS server instead of assigning different privilege levels to these users.

Thanks anyway.

Regards, Rico.

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card