FWSM AAA Problem

hkdisneyland · ‎03-25-2010

Hi,

I am using FWSM 4.1(1) with ASDM 6.2(1)F. I use ASDM to configure the FWSM with TACACS authentication, authorization and accounting. And I have enabled the TACACS authentication for "Enable", "Telnet", "HTTP/ASDM"... Everthing is fine when I use ASDM to login the "admin" context. But when I try to session into the FWSM from switch, I can't login with the same username and password I used to login with ASDM. Can anyone tell me what is the problem? Thanks

Jennifer Halim · ‎03-25-2010

Do you have "aaa authentication telnet console " configuration on your Admin context?

shailesh.h · ‎03-25-2010

I think problem could be

>> for ASDM you might have enable https access in AAA but might not allowed for session from switch. May be switch IP not allowed or telenet / ssh disallowed to FWSM.

>> If you add switch IP or SSH / telnet you should be in position to use the same username and password from switch

hkdisneyland · ‎03-25-2010

I am now able to switch to the FWSM using "session slot no. pro 1" command. Once I login using the TACACs username and password, I got the ">" prompt only. I need the enable password to get into the enable prompt. After that, when I change context to "admin", error "Command authorization failed" for any commands I issued. Pls advise

Jennifer Halim · ‎03-25-2010

Looks like the ACS is configured with command authorization, and it is not allowing the commands that you type in.

You might want to check on the ACS server itself on what command is allowed.

hkdisneyland · ‎03-26-2010

AAA authorization has been enabled for ASDM/HTTP also. And I have no problem when clicking any button in ASDM. So it seems the command authorization for ASDM is ok. But why I got command issue in CLI?

shailesh.h · ‎03-26-2010

1...Hope you have enable password and then got the privilege mode...

2...It might possible that the previlege level for the username password you are giving having limited privileges...

3... If you check the the AAA database for the username / password and privilege level should solve u r problem

hkdisneyland · ‎03-29-2010

I just wonder why I need to enter the enable password after entering "username" and "password". As my user account got privilege level 15 already. Also, when I try to SSH into the admin context. I got ">" prompt after entering username and password. After that, I try to change to enable mode. The password is always not correct and the "enable" action failed (but i am pretty sure the password I type in is the same the enable password configured)

Jennifer Halim · ‎03-29-2010

With FWSM, after you are authenticated and in user prompt, to access the enable mode, you would need to type in "login" instead of "enable". It will prompt you to type in your TACACS username and password, and place you in enable mode as per your TACACS privileges.

Here is the URL for your reference:

http://www.cisco.com/en/US/docs/security/fwsm/fwsm41/configuration/guide/mgacc_f.html#wp1072206

shailesh.h · ‎03-29-2010

It's funny but required enable password when accessing through CLI whereas it works fine with ASDM. You may reset enable password using ASDM and then try from CLI... it will definately work..

With regards,

Shailesh

Vianyfel Cordaro · ‎08-28-2013

I had the same problem and was solved by restarting the fwsm slot with the command: hw-module module slot N° reset