enable authentication for ASA

Unanswered Question
Aug 6th, 2010
User Badges:

hi,


Im working on AAA authentication for an ASA (ASA 8.0(3) version) box thorough a TACACS+ server in ACS (4.2 version). The setup im working on includes several users in 3 classes: senior (privilege level 15), junior (privilege level 7) and monitoring (privilege level 0), user authentication and command authorization is working fine, however im having problems with enable authentication.


When an user of junior class try to authenticate the enable password the authentication fails, according to the ACS's log "Tacacs+ enable privilege too low", however the privilege level in ACS for this class is set to level 7. Checking with a sniffer i have find out that the TACACS+ message for authentication sent by ASA is setting the privilege level as level 15, as you can see in the attached screenshot. Of course if the ASA is trying to authenticate enable for a level 15, the authentication will fail according to user's current level.I have local authentication configured in the ASA and it works fine including enable authentication.


Anyone have had any issue with this or have any idea how resolve this issue?


thanks all for your replies.

Attachment: 
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
rochopra Wed, 08/11/2010 - 05:16
User Badges:
  • Cisco Employee,

Seems like you might be hitting bug CSCsh66748.


Hope you have tried "enable " command to enter enable mode for specific users.


BTW why are you using different privileges for enable when you already have command authorization in place.


Regards

Rohit

Actions

This Discussion