Authentication on ASA

Unanswered Question
May 13th, 2009
User Badges:

I have a customer whom is currently using TACACS to authenticate incoming Admin session requests to the ASA appliance. Currently is uses TACACS and prompts for a username and password when you SSH to the box. Once authenticated, and then to enter priveleged EXEC mode after issuing the >enable command, the user will enter his/her password again to go to PRIV EXEC mode.

We want to change this scenario a bit. We still want the ASA to query the TACACS server to validate the user. But thereafter we want to use the LOCAL enable password on the ASA as the password to be referenced for PRIV EXEC mode.

What command will tell the ASA to reference the enable password, and not use TACACS?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Collin Clark Wed, 05/13/2009 - 11:07
User Badges:
  • Purple, 4500 points or more

I don't believe you can configure that in the ASA. You can configure it in your AAA server. Here's a screenshot from ACS. You would use

Kevin Melton Wed, 05/13/2009 - 12:00
User Badges:

Can you point me to where this is on the ACS box? And what version of ACS are you running. We were looking for this option on the ACS box and to this point unable to find it.


Collin Clark Wed, 05/13/2009 - 12:11
User Badges:
  • Purple, 4500 points or more

Check under the individual user account.

Alexei_Popik Wed, 06/10/2009 - 09:15
User Badges:

Hello. I'd like to join your conversation, because I have same problem.

I configure 'Use separate password', and now this password used for enable command. By the question was how to configure for using 'enable password' in Asa configuration? Or I need to configure 'Asa enable password' for all user accounts in ACS database as 'separate password' line?

Collin Clark Wed, 06/10/2009 - 10:32
User Badges:
  • Purple, 4500 points or more

Good question. I could not get it to work other than your suggestion of configure 'Asa enable password' for all user accounts in ACS database as 'separate password' line Thaat actually makes sense since the ASA is using AAA authentication and the enable password is local.

Alexei_Popik Thu, 06/11/2009 - 00:47
User Badges:

Thanks. One more question.

Is it possible login to Asa direct to priv. 15?

It worked with routers, but not with Asa.

Collin Clark Thu, 06/11/2009 - 05:22
User Badges:
  • Purple, 4500 points or more

No you can't. It's a security feature.

Kevin Melton Mon, 06/15/2009 - 05:59
User Badges:


I appreciate your input on this to this point.

I am still having difficulty locating the screen from your screen shot. Is there a chance that you could provide the exact path.

I did not see it at the path "Administration Control>Administrators>(username) which is where I thought it would be.

Thanks again

Collin Clark Mon, 06/15/2009 - 06:08
User Badges:
  • Purple, 4500 points or more


>User Setup>[USERNAME]

It's under the properties of the individual user.


This Discussion