ASA enable authentication for AD user by ACS TACACS fails

Unanswered Question
May 5th, 2009
User Badges:

In order to authorize command on ASA8.x for different users, I have to put 'aaa authentication enable console TACACS' into ASA configuration, and in ACS - user setup - TACACS+ enable password - Use separate password, I set an enable password.


It works fine for ACS local users, they are able to get into priv EXEC mode by entering 'enable' command and use my pre-set password, however, the password doesn't work for AD user.


So, how to setup enable authorization for AD user?

Or is there a way to drop a user directly into level 15 on ASA just like it on router?


below is the debug info.(I'm sure the password is the one I set in ACS)

-------------------------------------

LABASA1(config)# AAA API: In aaa_open

AAA session opened: handle = 884

AAA API: In aaa_process_async

aaa_process_async: sending AAA_MSG_PROCESS

AAA task: aaa_process_msg(d45bd5c8) received message type 0

AAA FSM: In AAA_StartAAATransaction

AAA FSM: In AAA_InitTransaction


Initiating authentication to primary server (Svr Grp: TACACS)

------------------------------------------------

AAA FSM: In AAA_BindServer

AAA_BindServer: Using server: 192.168.1.221

AAA FSM: In AAA_SendMsg

User: fostco\user1

Resp:

callback_aaa_task: status = -1, msg =

AAA FSM: In aaa_backend_callback

aaa_backend_callback: Handle = 884, pAcb = d5b193e0

aaa_backend_callback: Error:

Incorrect password.


AAA task: aaa_process_msg(d45bd5c8) received message type 1

AAA FSM: In AAA_ProcSvrResp


Back End response:

------------------

Authentication Status: -1 (REJECT)


AAA FSM: In AAA_NextFunction

AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT

AAA_NextFunction: authen svr = TACACS, author svr = <none>, user pol = , tunn pol =

AAA_NextFunction: New i_fsm_state = IFSM_DONE,

AAA FSM: In AAA_ProcessFinal

AAA FSM: In AAA_Callback

user attributes:

None


user policy attributes:

None


tunnel policy attributes:

None



Auth Status = REJECT

aaai_internal_cb: handle is 884, pAcb is d5b193e0, pAcb->tq.tqh_first is d441d1d8

AAA API: In aaa_close

AAA task: aaa_process_msg(d45bd5c8) received message type 3

In aaai_close_session (884)


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
nomair_83 Wed, 05/06/2009 - 00:06
User Badges:
  • Bronze, 100 points or more

Because AD is not able to communicate with authorization attributes by ASA.



michaelli888 Wed, 05/06/2009 - 06:29
User Badges:

sorry, my mistake, i mean authenticate enable, not authorize enable.


I have tested the same AD account to authenticate enable on router and switches, it has no problem.


Furthermore, if I use ACS - TACACS+ Enable Password - Use external database password (Windows database), I can use the user's AD password to get into level 15. But this way all AD user can get into p_priv mode.


My question is, why 'ACS - TACACS+ Enable Password - Use separate password' doesn't work, and how to make it work?

Jagdeep Gambhir Fri, 05/08/2009 - 10:01
User Badges:
  • Red, 2250 points or more

ASA does not support exec authorization as IOS. SO user will not fall directly to enable mode.


Make sure all AD users are added in ACS with password validation pointed to external database. You need to set up separate enable password for those users.


Regards,

~JG



bleuenbe Tue, 07/07/2009 - 13:10
User Badges:

I have run into a similar situation. I just want to authenticate via TACACS to enable mode in an ssh session. After using the "aaa authentication enable console TACACS LOCAL" command on the ASA, the ACS server rejects the password.


I have tried everything I can think of on the ACS as far as "TACACS+ enable password" using both a windows database or a separate password, and PIX/ASA command sets. I cannot go into enable mode unless I set the ASA to LOCAL authentication, which just uses the globally defined enable password.

njvcofallon1 Wed, 08/24/2011 - 08:50
User Badges:

Since this was never answered, I'll try to help. I was pulling out my hair as well. Try going to Interface Configuration, then under the Advanced Configuration Options check Advanced TACACS+ Features, then edit your Group settings. You'll now see a section for 'Enable Options', set this to Level 15 for this group. I love how many settings in ACS are hidden until you find the option to enable them in the GUI. Also make sure any PIX Shell options are enabled for the group as well.


-Nick

Actions

This Discussion