Sessioning into FWSM using AAA tacacs for authentication

Unanswered Question
Mar 2nd, 2009

We have a FWSM in a Cat6500(12.2(33)SXI). We use AAA tacacs with local failover for ssh access to both the FWSM admin context and the switch. Works great. However when trying to session to the FWSM from the switch it only seems to allow 1st level access using my tacacs credentials. It only accepts either the local admin context enable password or the password associated with a local privilege level 15 user(admin context) for enable access. Is there some way to configure enable access to also use my tacacs credentials? If possible, local authentication for failover would be preferred.



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
phaddad Tue, 03/03/2009 - 08:36

If you are talking about the fwsm, we already have the following statement configured in the admin context:

aaa authentication enable console tac_servers LOCAL

Its like its not using aaa for enable after the session login, as I'm not getting a prompt for username, only password.



vikram_anumukonda Thu, 03/05/2009 - 00:10

did you try debugging aaa and see what exactly is happening when you are sessioning into FWSM.

phaddad Thu, 03/05/2009 - 08:25

output from show debug on fwsm sys context doing a session command from switch:

Processing challenge for user xxxxxx, session id: 2147483691, challenge: Password:

Mar 05 2009 06:07:53: %FWSM-6-605005: Login permitted from to eobc: for user "xxxxxx"

enabling in same session using local level 15 password:

Mar 05 2009 06:09:36: %FWSM-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15



vikram_anumukonda Fri, 03/06/2009 - 02:53

FWSM 3.2 Configuration Guide

"In multiple context mode, you cannot configure any AAA commands in the system configuration. However, if you configure Telnet authentication in the admin context, then authentication also applies to sessions from the switch to the FWSM (which enters the system execution space). The admin context AAA server or local user database are used in this instance"

but not quite sure if this is the case with "enable" authentication, atleast from what you have experienced , looks like enable password set under the system context is being used.

phaddad Fri, 03/06/2009 - 08:37

Agree on the aaa commands in the system config. In the admin context config we have the following aaa commands:

aaa authentication telnet console tac_servers LOCAL

aaa authentication enable console tac_servers LOCAL

Just doesn't seem to work with enable.



vikram_anumukonda Fri, 03/06/2009 - 08:41

That confirms that enable authentication for system context is done based on enable password and not the tacacs+.

But I am going to check and let you know.

phaddad Fri, 03/06/2009 - 09:04

3.2(4) looking to upgrade to 4 in the next month or so.

ppalmerjr Mon, 12/14/2009 - 18:21

I'm wondering if anyone has found an answer to this.  I have the exact same problem where authentication is working to the FWSM but when I try to go into enable mode it uses the password that is configured via the enable secret command and not what is in the ACS server.  I tried using the "

aaa authentication enable console {LOCAL | server_group [LOCAL]}" but it doesn't seem to work.

Any thoughts?


This Discussion