ASA <aaa enable authentication> on Console port has a issue.

Unanswered Question
Oct 30th, 2008


We're using a Cisco ACS server to do a enable authentication on the Console port of a ASA, see the below for configuation...

The weird thing is that we are able to authenticate a user through the Console port,but failure enable authentication on the Console port.

But we can get through enable authentication if using the local password set by <enable password> command instead of the one configured on ACS server.

Also if we telnet or ssh to the ASA,enable authentication works perfectly...

Any idea...?


aaa-server TACACS+ protocol tacacs+

reactivation-mode depletion deadtime 1

aaa-server TACACS+ (inside) host

timeout 5

key cisco

aaa authentication serial console TACACS+ LOCAL

aaa authentication telnet console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authentication ssh console TACACS+ LOCAL

aaa authorization command TACACS+ LOCAL

aaa accounting ssh console TACACS+

aaa accounting command privilege 15 TACACS+



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
srue Fri, 10/31/2008 - 07:18

type "login" at the asa prompt from the console:

cisocasa> login

Jagdeep Gambhir Fri, 10/31/2008 - 07:45

Make sure that the group to which the user is assigned has "Max Privilege for any AAA Client "under Enable Options set to 15.

If issue is still there, please get he debug tacacs , and debug aaa authentication




This Discussion