ASA multiple context aaa authentication enable

Unanswered Question
Jan 23rd, 2009


We have ASA with software 7.2.4 configured for AAA on ACS v4.2.

Configuration is as follows:

aaa-server TAC protocol tacacs+

aaa-server TAC (mgmt) host

key cisco

aaa-server RAD protocol radius

key cisco

aaa-server RAD (mgmt) host

aaa authentication http console RAD LOCAL

aaa authentication serial console RAD LOCAL

aaa authentication ssh console RAD LOCAL

aaa authentication enable console TAC LOCAL

aaa authorization command TAC LOCAL

aaa accounting ssh console TAC

aaa accounting command TAC

Everything is working fine except access to privileged mode while connecting over console port. Console port authentication is working OK.

Because of multiple context, after logging in we enter System context.

After issuing "enable" command ASA accepts only configured enable secret in system context and changes user ID to enable_15, so we are unable to do user-level command authorization and accounting.

It seems that ASA in system context is not aware of any AAA configuration, and there isn't any command to configure AAA in system context.

Is there any way to configure enable authentication over AAA in system context?

Thanks in advance!


I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
ebreniz Fri, 01/30/2009 - 15:31

Your security appliance is possibly already configured for multiple security contexts dependent upon how you ordered it from Cisco, but if you upgrade, you might need to convert from single mode to multiple mode. This section explains the procedures to upgrade. ASDM does not support changing modes, so you need to change modes with the CLI.

When you convert from single mode to multiple mode, the security appliance converts the running configuration into two files. The original startup configuration is not saved, so, if it differs from the running configuration, you must back it up before you proceed.

marko.keca Fri, 01/30/2009 - 16:05


I assume that you misunderstood my question. Our appliance is running in multiple context mode and AAA in context is configured as it should be (look configuration in first post).

Problem is, if you log into ASA over console port you can enter enable mode with user credentials only if you have users defined local in System space. In system space you can't define AAA commands.

Kind regards,




This Discussion