03-20-2010 02:14 AM - edited 03-11-2019 10:24 AM
Hi all,
I have configured 2 ASA 5520's in active/standby failover also configured telent and SSH on the same, such that telnet uses local datatabase for authentication and SSH use TACACS+ for AAA, the problem is that when trying to login using SSH i am able to login to the console but not to enable mode.
What could be the problem?
Sree
03-20-2010 03:43 AM
Did you configure privilege level 15 for Enable options on the ACS server for the group/user?
03-20-2010 07:32 PM
Issue "sh run aaa", what does "aaa authentication enable console ..." line say?
-KS
03-20-2010 11:16 PM
03-20-2010 11:18 PM
03-21-2010 03:12 AM
ASA works a little bit differently in regards to enable mode authentication compared to other Cisco devices, like IOS routers and switches.
Please check on the ACS server if the "enable" option of privilege level 15 on the ACS server for the group/user is configured as advised earlier, as per the following:
http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800949d6.shtml
You would also need to manually switch to enable mode on ASA:
http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K25224726
03-21-2010 03:35 PM
Make sure this ACS user has priv 15 configured.
Otherwise try to just remove this line aaa authentication enable console server-group LOCAL and use the enable password configured on the ASA.
-KS
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: