cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
9637
Views
0
Helpful
21
Replies

aaa authentication enable console (server_name) password issue

stancred
Level 1
Level 1

Here is the problem I am experiencing and I hope someone out there is able to help;

I have a ASA5510 (running software Version 8.0(3)). I have enabled remote authentication to our company's TACAC server (which is running TACAC open source supplied by Cisco).

The problem is as follows;

I can telnet to the appliance remote and using my username and password (configured on the TACAC server) I am authenticated. But after entering enable - I am prompted with the password prompt. But I can not get pass this prompt. I have tried the same password as I previous enter at the telnet prompt and failed, the local enable password fails as well. Any suggestion.

aaa-server (server_name) protocol tacacs+

aaa-server (server_name) (interlinkport) host (Address)

key (password)

aaa authentication enable console (server_name) LOCAL

aaa authentication enable console (server_name) LOCAL

aaa authentication http console (server_name) LOCAL

aaa authentication serial console (server_name) LOCAL

aaa authentication ssh console (server_name) LOCAL

aaa authentication telnet console (server_name) LOCAL

aaa accounting command privilege 15 (server_name)

aaa authorization exec authentication-server

21 Replies 21

Farrukh Haroon
VIP Alumni
VIP Alumni

telnet password = passwd command

enable password = enable command

Try one thing, either remove

aaa authentication enable console (server_name) LOCAL

or change it to:

aaa authentication enable console LOCAL

Then try putting the 'local' enable password at the password prompt.

Regards

Farrukh

Farrukh - Sorry I should have mention this earlier that I had excuted your recommendation and it does work. But I don't want our engineering team having to referr to paper work for the enbale password.

That is why I want want the enable password to be authenticated by the TACAC.

I believe that the problem is with the parameter on the TACAC server. But I do not know all the syntexts that need to be entered.

I beleive that there must be an additional parameter for the enable privilege.

Yes I just wanted to double check and rule out every thing else. Which AAA server are you using?

Regards

Farrukh

My management team informs me that it is open source TACAC supplied by Cisco. I am not sure want version and I am unable to findf out until tomorrow as it is 10:30pm local time.

Wha other info would you like?

I'm assuming they are talking about 'free tacacs', a sample configuration file can be found at the end of this link:

http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a00800946a3.shtml

Regards

Farrukh

Farrukh, that is correct we are (stancred and I) using the 'free tacacs' as you suggested.

Group Definitions:

group = engineer {

default service = permit

service = exec {

# logout after n mins idle

idletime = 15

# grant access level 15

priv-lvl=15

}

}

And User definitions:

user = {

login = cleartext

member = engineer

}

Do you have this at the top of your file, as per the cisco.com link I sent earlier?

# Enable password setup for everyone:

user = $enable$ {

login = cleartext "cisco"

}

Please note there is slight difference between the PIX and IOS routers, the privilege level feature was never properly implemented in PIX firewalls. So you might need to setup an enable password as above.

Regards

Farrukh

I will try this tomorrow . Just so you know the same username and password work on cisco routers. I have no trouble in telneting and accessing the enable mode.

aaa authentication login default group tacacs+ local

aaa authorization exec default group tacacs+ local

aaa authorization commands 1 default group tacacs+ local

aaa authorization commands 15 default group tacacs+ local

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

!

You arent authenticating the enable password via AAA.

That would require a:

aaa authentication enable ....

Regards

Farrukh

With respect to your comments:

"I believe that the problem is with the parameter on the TACAC server. But I do not know all the syntexts that need to be entered.

I beleive that there must be an additional parameter for the enable privilege."

... I understand you are NOT using Cisco Secure ACS, however, the following requirement may exist in your scenario as well:

When configuring enable authentication on a CSACS, you would need to specify "Max Privilege" (i.e.: Level 15) in the "TACACS+ Enable Control" section of "Advanced TACACS+ Settings" for the User's account.

When the AAA Client sends an authentication request to the TACACS server, the "Privilege Level" AV pair is specified. I would expect this criteria to be compared to the user's configuration (i.e.: Max Privilege).

I think I can help you here since I've been using Cisco

Freeware TACACS+ for almost 7 years now. I am not

an expert, just enough to be dangerous.

Since the code is open-source, each company uses

differently; however, there is one thing that will

always true. That would be the the enable.c file,

which is a C program. You would need to modify

this file so that EVERYONE can have his/her own

enable password, just like Cisco ACS running on

Windows platforms.

the configuration file would look something like this:

accounting file = /var/log/tac_plus.log

key = zFgGkIooIsZ.Q

user = cciesec {

member = admin

name = "ccie security"

login = cleartext "cciesec"

}

user = $cciesec$ {

member = admin

name = "ccie security"

login = cleartext "cciesec1"

}

group = admin {

default service = permit

}

On the Pix:

aaa-server NEO protocol tacacs+

aaa-server NEO (outside) host 192.168.15.10

timeout 5

key cciesec

aaa authentication ssh console NEO LOCAL

aaa authentication enable console NEO LOCAL

Here is the login sequence:

[root@dca2-LinuxES root]# ssh -l cciesec 192.168.0.25

The authenticity of host '192.168.0.25 (192.168.0.25)' can't be established.

RSA key fingerprint is c2:48:15:85:92:7f:56:15:a8:0f:80:d9:88:50:fd:1c.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.0.25' (RSA) to the list of known hosts.

cciesec@192.168.0.25's password:

Type help or '?' for a list of available commands.

CiscoPix> en

Password: ********

CiscoPix#

In other words, my initial password is "cciesec" and my enable password

is "cciesec1". Another user "tom" will have his own login and enable

password.

Simple enough?

Hi cisco24x7

Looking at the enable.c file as suggested, I can see the section for $enable$ or $enab15$ - I assume this is where you are referencing when you mention that we would need to add each user (ie to be tested within the code).

Stupid question - I assume that I would need to have to compile this code once modifications have been made? And as such this is not able to be dynamically updated?

Our environment will not allow for a 'default' enable password across all devices. At most we could specify a default per 'group' of devices (ie per Customer).

Farrukh - As suggested the below config works - however as per my above post it is not acceptable to have a default enable password across all devices (or all pix's)

# Enable password setup for everyone:

user = $enable$ {

login = cleartext "cisco"

}

Thanks

Kylie

Then you need to go with the solution present by Cisco24X7. You mind find compiling help at the link I posted earlier.

Regards

Farrukh

My solution allows everyone to have both his/her own unique

exec and enable password. NO PASSWORD SHARING, just like

Cisco ACS. With Freeware TACACS+, you have ACL in the

configuration to block certain users from accessing certain

devices. In other words, you can do just about whatever

you want.

Last but not least, everytime you make change in the

configuration, you have to restart the tac_plus. That's really

easy. I have multiple tacacs servers and I only make changes

to the master tacacs server configuration files. Since mine

is running on Linux, I can do "service tac_plus restart" or

set a cron job to run every 4 hours to restart the tac_plus

service. The restart takes about 2 seconds. Furthermore,

I also setup another cron to copy the master file over

to other tacacs servers as well, via Secure Copy, very

secure. That way I can achieve redudancies in case my primary

tacacs server goes down, which is very unlikely (This is

NOT a windows environment). The best thing is that

all of this is FREE.

One more thing, you can compile the code to use

One-time Password In Everything (OPIE) as well. Think of

it like two-factor authentication. In this day and age,

sharing enable password is a security violation, IMHO

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: