Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

ASA +tacacs enable mode problem ** SOLVED **

Unanswered Question
Feb 24th, 2009
User Badges:

It seems this topic has been covered plenty already, but I just thought I would share my experience getting tacacs+ authentication working with enable mode(privilege level 15) for our ASA5550. Probalby unique to my setup, but perhaps this can help anyone else who comes across this problem

Before I begin I would like to say I found the Cisco documentation some what confusing - http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/start.html

Anyway to give some background we use tacacs+ for telnet(auth/accounting) with existing cisco routers/switches. If specified in tacacs.conf a user can log on to a device with full enable access without having to first escalate privileges. I just expected the ASA would support this. This is not the case as I discovered from this thread- http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&topicID=.ee6e1fe&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.2cc21a1e/0#selected_message "...The ASA/PIX doesn't do "exec" authorization like a router does, to put you straight into privilege level 15..."

In the tacacs.conf file on your tacacs+ server make sure you create a user called $enab15$. This is in addition to your individual user accounts. This is a global "enable" user that is used to authenticate escalating to enable privilege mode for any user in tacacs.conf.

Here is the config I'm using that works

** ASA5550 **

aaa-server MNGT-TAC protocol tacacs+

aaa-server MNGT-TAC (mngt0_0_management_int) host

key cisco

aaa authentication telnet console MNGT-TAC LOCAL

aaa authentication enable console MNGT-TAC LOCAL

aaa accounting telnet console MNGT-TAC

aaa accounting enable console MNGT-TAC

aaa accounting command MNGT-TAC


telnet mngt0_0_management_int

** TACACS server /etc/tac-plus/tacacs.conf **

accounting file = /var/log/tac-plus/account

key = cisco # comment while debug

## Global enable password

user = $enab15$ {

login = des cs23Dsd2bslz # use DES encryption


user = asa-test {

service = exec {

default attribute = permit

priv-lvl = 15


login = des bs2Apbk0xCT0D


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)


This Discussion