SSSH access problem in ASA 5520 v7.2

Unanswered Question
Mar 20th, 2010
User Badges:

Hi all,


        I have configured 2 ASA 5520's in active/standby failover also  configured telent and SSH on the same, such that telnet uses  local datatabase for authentication and SSH use TACACS+ for AAA, the problem is that when trying to login using SSH i am able to login to the console but not to enable mode.

What could be the problem?



Sree

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Sat, 03/20/2010 - 03:43
User Badges:
  • Cisco Employee,

Did you configure privilege level 15 for Enable options on the ACS server for the group/user?

Kureli Sankar Sat, 03/20/2010 - 19:32
User Badges:
  • Cisco Employee,

Issue "sh run aaa", what does "aaa authentication enable console ..." line say?


-KS

Jennifer Halim Sun, 03/21/2010 - 03:12
User Badges:
  • Cisco Employee,

ASA works a little bit differently in regards to enable mode authentication compared to other Cisco devices, like IOS routers and switches.


Please check on the ACS server if the "enable" option of privilege level 15 on the ACS server for the  group/user is configured as advised earlier, as per the following:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800949d6.shtml


You would also need to manually switch to enable mode on ASA:

http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K25224726

Kureli Sankar Sun, 03/21/2010 - 15:35
User Badges:
  • Cisco Employee,

Make sure this ACS user has priv 15 configured.

Otherwise try to just remove this line   aaa authentication enable console server-group LOCAL and use the enable password configured on the ASA.


-KS

Actions

This Discussion