aaa authentication enable console (server_name) password issue

Unanswered Question
Jun 17th, 2008

Here is the problem I am experiencing and I hope someone out there is able to help;

I have a ASA5510 (running software Version 8.0(3)). I have enabled remote authentication to our company's TACAC server (which is running TACAC open source supplied by Cisco).

The problem is as follows;

I can telnet to the appliance remote and using my username and password (configured on the TACAC server) I am authenticated. But after entering enable - I am prompted with the password prompt. But I can not get pass this prompt. I have tried the same password as I previous enter at the telnet prompt and failed, the local enable password fails as well. Any suggestion.

aaa-server (server_name) protocol tacacs+

aaa-server (server_name) (interlinkport) host (Address)

key (password)

aaa authentication enable console (server_name) LOCAL

aaa authentication enable console (server_name) LOCAL

aaa authentication http console (server_name) LOCAL

aaa authentication serial console (server_name) LOCAL

aaa authentication ssh console (server_name) LOCAL

aaa authentication telnet console (server_name) LOCAL

aaa accounting command privilege 15 (server_name)

aaa authorization exec authentication-server

I have this problem too.
1 vote
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Farrukh Haroon Tue, 06/17/2008 - 02:33

telnet password = passwd command

enable password = enable command

Try one thing, either remove

aaa authentication enable console (server_name) LOCAL

or change it to:

aaa authentication enable console LOCAL

Then try putting the 'local' enable password at the password prompt.

Regards

Farrukh

stancred Tue, 06/17/2008 - 03:20

Farrukh - Sorry I should have mention this earlier that I had excuted your recommendation and it does work. But I don't want our engineering team having to referr to paper work for the enbale password.

That is why I want want the enable password to be authenticated by the TACAC.

I believe that the problem is with the parameter on the TACAC server. But I do not know all the syntexts that need to be entered.

I beleive that there must be an additional parameter for the enable privilege.

Farrukh Haroon Tue, 06/17/2008 - 03:43

Yes I just wanted to double check and rule out every thing else. Which AAA server are you using?

Regards

Farrukh

stancred Tue, 06/17/2008 - 04:19

My management team informs me that it is open source TACAC supplied by Cisco. I am not sure want version and I am unable to findf out until tomorrow as it is 10:30pm local time.

Wha other info would you like?

kyliem Tue, 06/17/2008 - 16:20

Farrukh, that is correct we are (stancred and I) using the 'free tacacs' as you suggested.

Group Definitions:

group = engineer {

default service = permit

service = exec {

# logout after n mins idle

idletime = 15

# grant access level 15

priv-lvl=15

}

}

And User definitions:

user = {

login = cleartext

member = engineer

}

Farrukh Haroon Tue, 06/17/2008 - 17:43

Do you have this at the top of your file, as per the cisco.com link I sent earlier?

# Enable password setup for everyone:

user = $enable$ {

login = cleartext "cisco"

}

Please note there is slight difference between the PIX and IOS routers, the privilege level feature was never properly implemented in PIX firewalls. So you might need to setup an enable password as above.

Regards

Farrukh

stancred Tue, 06/17/2008 - 04:38

I will try this tomorrow . Just so you know the same username and password work on cisco routers. I have no trouble in telneting and accessing the enable mode.

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

!

Farrukh Haroon Tue, 06/17/2008 - 05:07

You arent authenticating the enable password via AAA.

That would require a:

aaa authentication enable ....

Regards

Farrukh

michael.leblanc Tue, 06/17/2008 - 11:35

With respect to your comments:

"I believe that the problem is with the parameter on the TACAC server. But I do not know all the syntexts that need to be entered.

I beleive that there must be an additional parameter for the enable privilege."

... I understand you are NOT using Cisco Secure ACS, however, the following requirement may exist in your scenario as well:

When configuring enable authentication on a CSACS, you would need to specify "Max Privilege" (i.e.: Level 15) in the "TACACS+ Enable Control" section of "Advanced TACACS+ Settings" for the User's account.

When the AAA Client sends an authentication request to the TACACS server, the "Privilege Level" AV pair is specified. I would expect this criteria to be compared to the user's configuration (i.e.: Max Privilege).

cisco24x7 Tue, 06/17/2008 - 17:54

I think I can help you here since I've been using Cisco

Freeware TACACS+ for almost 7 years now. I am not

an expert, just enough to be dangerous.

Since the code is open-source, each company uses

differently; however, there is one thing that will

always true. That would be the the enable.c file,

which is a C program. You would need to modify

this file so that EVERYONE can have his/her own

enable password, just like Cisco ACS running on

Windows platforms.

the configuration file would look something like this:

accounting file = /var/log/tac_plus.log

key = zFgGkIooIsZ.Q

user = cciesec {

member = admin

name = "ccie security"

login = cleartext "cciesec"

}

user = $cciesec$ {

member = admin

name = "ccie security"

login = cleartext "cciesec1"

}

group = admin {

default service = permit

}

On the Pix:

aaa-server NEO protocol tacacs+

aaa-server NEO (outside) host 192.168.15.10

timeout 5

key cciesec

aaa authentication ssh console NEO LOCAL

aaa authentication enable console NEO LOCAL

Here is the login sequence:

[[email protected] root]# ssh -l cciesec 192.168.0.25

The authenticity of host '192.168.0.25 (192.168.0.25)' can't be established.

RSA key fingerprint is c2:48:15:85:92:7f:56:15:a8:0f:80:d9:88:50:fd:1c.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.0.25' (RSA) to the list of known hosts.

[email protected]'s password:

Type help or '?' for a list of available commands.

CiscoPix> en

Password: ********

CiscoPix#

In other words, my initial password is "cciesec" and my enable password

is "cciesec1". Another user "tom" will have his own login and enable

password.

Simple enough?

kyliem Tue, 06/17/2008 - 20:22

Hi cisco24x7

Looking at the enable.c file as suggested, I can see the section for $enable$ or $enab15$ - I assume this is where you are referencing when you mention that we would need to add each user (ie to be tested within the code).

Stupid question - I assume that I would need to have to compile this code once modifications have been made? And as such this is not able to be dynamically updated?

Our environment will not allow for a 'default' enable password across all devices. At most we could specify a default per 'group' of devices (ie per Customer).

Farrukh - As suggested the below config works - however as per my above post it is not acceptable to have a default enable password across all devices (or all pix's)

# Enable password setup for everyone:

user = $enable$ {

login = cleartext "cisco"

}

Thanks

Kylie

Farrukh Haroon Wed, 06/18/2008 - 00:10

Then you need to go with the solution present by Cisco24X7. You mind find compiling help at the link I posted earlier.

Regards

Farrukh

cisco24x7 Wed, 06/18/2008 - 03:02

My solution allows everyone to have both his/her own unique

exec and enable password. NO PASSWORD SHARING, just like

Cisco ACS. With Freeware TACACS+, you have ACL in the

configuration to block certain users from accessing certain

devices. In other words, you can do just about whatever

you want.

Last but not least, everytime you make change in the

configuration, you have to restart the tac_plus. That's really

easy. I have multiple tacacs servers and I only make changes

to the master tacacs server configuration files. Since mine

is running on Linux, I can do "service tac_plus restart" or

set a cron job to run every 4 hours to restart the tac_plus

service. The restart takes about 2 seconds. Furthermore,

I also setup another cron to copy the master file over

to other tacacs servers as well, via Secure Copy, very

secure. That way I can achieve redudancies in case my primary

tacacs server goes down, which is very unlikely (This is

NOT a windows environment). The best thing is that

all of this is FREE.

One more thing, you can compile the code to use

One-time Password In Everything (OPIE) as well. Think of

it like two-factor authentication. In this day and age,

sharing enable password is a security violation, IMHO

stancred Wed, 06/25/2008 - 01:50

problem has been rectified and it was the setting in our TACAC server

Hi,

I also have the same issues as you've described. Ie - When logging into a pix I can authenticate against tac_plus during first level ssh or telnet authentication, but it wont authenticate with the same users password when attempting to enter enable mode. Michael mentioned above that ACS uses the Max Privilege attributes to achieve what we want, so I'm assuming that some related configuration is required in tac_plus.

It would be great if you can share the tacacs server config setting you used to get it working.

Thanks,

Matt

Farrukh Haroon Sat, 08/09/2008 - 21:29

You don't need to set the "Max Privilege for any AAA Client." but actually need to set the "Privilege Level" = 15. If you want you can set both to 15. The first option kicks in when you use 'aaa authentication enable....' and the second one when you use ''aaa authorization exec....'.

Regards

Farrukh

Thanks Farrukh,

I'm familiar with those settings in ACS, however as the company I now work for uses the freeware tac_plus I need to know the correspondong commands in tac_plus. Steve Tancred (stancred) mentioned above that he now has a solution, so I would be interested in his tac_plus config if available. Specifically I'm after the enable related commands.

Regards,

Matt

cisco24x7 Sun, 08/10/2008 - 05:27

This will work:

accounting file = /var/log/tac_plus.log

key = zFgGkIooIsZ.Q

user = cciesec {

member = admin

name = "ccie security"

login = cleartext "cciesec"

}

user = $cciesec$ {

member = admin

name = "ccie security"

login = cleartext "cciesec1"

}

group = admin {

default service = permit

}

Jeremiah Lew Da... Thu, 03/13/2014 - 20:43

Hi,

 

I'm using tac_plus... I have also this kind of problem.

Below is the group = networkadmin which I've configured.

Is there anything that I will add here under tac_plus.conf???

group = networkadmin {
        # group members who don't have their own login password will be
        # looked up in /etc/passwd
        #login = file /etc/passwd

        default service = permit
        login = PAM

        # group members who have no expiry date set will use this one
        #expires = "Jan 1 1997"

        # only allow access to specific routers
        acl = default


        # Needed for the router to make commands available to user (subject
        # to authorization if so configured on the router
        service = exec {
                priv-lvl = 15
                #default service = permit
        }
        cmd = exit {
                permit .*
        }
}

 

Actions

This Discussion