AAA problem in ASA

Answered Question
Oct 14th, 2008
User Badges:

Hi All,


I had configured tacacs on ASA but the problem is when i m trying to telnet it it authenticates me with my username & password on ACS but i cant move onto privilege level 15 as configured on ACS. Its asking me for enable password n not taking the password that is on ACS. I have used Shell Authorization for privilege 15. The configuration done on ASA is:


name 172.30.xx.xx ACS-1

name 172.30.yy.yy ACS-2

aaa-server tacacs+ protocol tacacs+


aaa-server tacacs+ host ACS-1

key cisco

aaa-server tacacs+ host ACS-2

key cisco


aaa authentication telnet console tacacs+ LOCAL

aaa authentication telnet console tacacs+ tacacs+

aaa authentication ssh console tacacs+ LOCAL


aaa authentication enable console tacacs+ LOCAL


enable password V3VzjwYzTRfTLwOb encrypted

enable password V3VzjwYzTRfTLwOb encrypted

username piyush password vkCzRtKCaNG.HI6s encrypted privilege 15

username ideanoc password S0qrUlXOHFcX7LCw encrypted privilege 15


Even added my username & password in local database on ASA as on ACS. Still no progress....


Can any one give his suggestion on the same.

Regards,

Piyush

Correct Answer by Jagdeep Gambhir about 8 years 6 months ago

I'm not asking for shell priv level 15 but enable privilege. That should be set to 15 in acs--->user set up ----> enable options---> Max Privilege for any AAA Client-->15

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Loading.
Jagdeep Gambhir Tue, 10/14/2008 - 11:09
User Badges:
  • Red, 2250 points or more

Piyush,

ASA do not support exec authorization so you will not fall directly in enable mode the way we do on routers/switches.


http://www.ciscotaccc.com/security/showcase?case=K25224726


But it should let you in using enable password. In acs user set up make sure you have enable password defined and you are using that password.


user set up Edit --->TACACS+ Enable Password and choose option as per your need.



Regards,

~JG


Do rate helpful posts

piyush_singh Tue, 10/14/2008 - 12:32
User Badges:

tried doing the same but that also doesnt helps.


Do i need to give:


aaa accounting command privilege 15 tacacs+


to make it privelege 15

Jagdeep Gambhir Tue, 10/14/2008 - 12:55
User Badges:
  • Red, 2250 points or more

No that command is for accounting.


Make sure you have Max Privilege for any AAA Client is set to 15 in acs group setup.


Do we get any error in failed attempts


Regards,

~JG


Do rate helpful posts

piyush_singh Tue, 10/14/2008 - 13:22
User Badges:

ya all that is done level 15 is set in Shell (exec) in group setup & also in Shell Command Authorization Set provided full access...


N i cant find any logs in failed attempts, but can see authentication passed in passed authentication logs..


The link which you had posted is for IOS ver 7.x but i m using 8.0(3)


Regards,

Piyush

piyush_singh Tue, 10/14/2008 - 13:25
User Badges:

what i m getting on telnet is:


User Access Verification


Username: piyush

Password: **********

Type help or '?' for a list of available commands.

ICL-PUN-PRIDC1-MPLS-5550ASA1> en

Password: **********

Password: **********

Password: **********

Access denied.

ICL-PUN-PRIDC1-MPLS-5550ASA1>

ICL-PUN-PRIDC1-MPLS-5550ASA1>


this might give you some idea.

Correct Answer
Jagdeep Gambhir Tue, 10/14/2008 - 13:31
User Badges:
  • Red, 2250 points or more

I'm not asking for shell priv level 15 but enable privilege. That should be set to 15 in acs--->user set up ----> enable options---> Max Privilege for any AAA Client-->15

Actions

This Discussion