FWSM AAA Problem

Unanswered Question
Mar 25th, 2010
User Badges:

Hi,


I am using FWSM 4.1(1) with ASDM 6.2(1)F. I use ASDM to configure the FWSM with TACACS authentication, authorization and accounting. And I have enabled the TACACS authentication for "Enable", "Telnet", "HTTP/ASDM"... Everthing is fine when I use ASDM to login the "admin" context. But when I try to session into the FWSM from switch, I can't login with the same username and password I used to login with ASDM. Can anyone tell me what is the problem? Thanks

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jennifer Halim Thu, 03/25/2010 - 03:40
User Badges:
  • Cisco Employee,

Do you have "aaa authentication telnet console " configuration on your Admin context?

shailesh.h Thu, 03/25/2010 - 09:01
User Badges:
  • Bronze, 100 points or more

I think problem could be

>> for ASDM you might have enable https access in AAA but might not allowed for session from switch. May be switch IP not allowed or telenet / ssh disallowed to FWSM.

>> If you add switch IP or SSH / telnet you should be in position to use the same username and password from switch

hkdisneyland Thu, 03/25/2010 - 23:32
User Badges:

I am now able to switch to the FWSM using "session slot no. pro 1" command. Once I login using the TACACs username and password, I got the ">" prompt only. I need the enable password to get into the enable prompt. After that, when I change context to "admin", error "Command authorization failed" for any commands I issued. Pls advise

Jennifer Halim Thu, 03/25/2010 - 23:35
User Badges:
  • Cisco Employee,

Looks like the ACS is configured with command authorization, and it is not allowing the commands that you type in.

You might want to check on the ACS server itself on what command is allowed.

hkdisneyland Fri, 03/26/2010 - 01:10
User Badges:

AAA authorization has been enabled for ASDM/HTTP also. And I have no problem when clicking any button in ASDM. So it seems the command authorization for ASDM is ok. But why I got command issue in CLI?

shailesh.h Fri, 03/26/2010 - 03:01
User Badges:
  • Bronze, 100 points or more

1...Hope you have enable password and then got the privilege mode...

2...It might possible that the previlege level for the username password you are giving having limited privileges...

3... If you check the the AAA database for the username / password and privilege level should solve u r problem

hkdisneyland Mon, 03/29/2010 - 01:43
User Badges:

I just wonder why I need to enter the enable password after entering "username" and "password". As my user account got privilege level 15 already. Also, when I try to SSH into the admin context. I got ">" prompt after entering username and password. After that, I try to change to enable mode. The password is always not correct and the "enable" action failed (but i am pretty sure the password I type in is the same the enable password configured)

Jennifer Halim Mon, 03/29/2010 - 02:07
User Badges:
  • Cisco Employee,

With FWSM, after you are authenticated and in user prompt, to access the enable mode, you would need to type in "login" instead of "enable". It will prompt you to type in your TACACS username and password, and place you in enable mode as per your TACACS privileges.


Here is the URL for your reference:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/mgacc_f.html#wp1072206

shailesh.h Mon, 03/29/2010 - 04:16
User Badges:
  • Bronze, 100 points or more

It's funny but required enable password when accessing through CLI whereas it works fine with ASDM. You may reset enable password using ASDM and then try from CLI... it will definately work..


With regards,


Shailesh

Vianyfel Cordaro Wed, 08/28/2013 - 12:00
User Badges:

I had the same problem and was solved by restarting the fwsm slot with the command: hw-module module slot N° reset

Actions

This Discussion