Cisco ASA TACACS+ enable mode not working

Answered Question
Jan 6th, 2014
User Badges:

Hi,


I am configuring the ASA 8.4 with TACACS with below CLI configurations, I can only successfully login to the USER MODE of the ASA via TACACS, but unable to get to the enable mode of the ASA via TACACS. Also ASA is not falling to local enable password either.


Also I can successfully run the "test aaa authentication TACACS+ username abc password password1"

INFO: Authentication Successful


From same ACS TACACS works for both user mode and enable mode for routers/ switches.


Current ASA CLI

~~~~~~~~~~~~~


username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15

enable password [ENTER ENABLE MODE PASSWORD HERE]


aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (inside) host [ENTER TACACS+ SERVER IP ADDRESS HERE] [ENTER SECRET KEY HERE] timeout 10


aaa authentication http console TACACS+ LOCAL

aaa authentication ssh console TACACS+ LOCAL

aaa authentication telnet console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+ LOCAL


aaa accounting enable console TACACS+

aaa accounting ssh console TACACS+

Correct Answer by Julio Carvajal about 3 years 7 months ago

Hello,


Glad to know that I could help (Remember to mark the question as answered as that was the main topic of this ticket)


Now, moving to the new issue.


aaa authentication enable console TACACS+ LOCAL


This basically tells the ASA use the local usermane and password database not the enable password.


If you want to authenticate using the locally configured enabled password just remove

aaa authentication enable console TACACS+ LOCAL


And you will be always authenticating using the locally configured password.


This is different than from an IOS device that provides the option to use the enable database on the router itself when authenticating~



Looking for some Networking Assistance? 
Contact me directly at [email protected]

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Correct Answer by Julio Carvajal about 3 years 7 months ago

HeyRizwan,


What ACS version are you running??


Make sure you defined the username with a static privilege level of 15 otherwise it will not be able to pass the enable authentication.


If ACS 5.x or higher go to the policy elements: Shell Profile and make sure you have one assigned for a static maximum privilege of 15 and most important that its applied into a access-policy rule



Looking for some Networking Assistance? 
Contact me directly at [email protected]

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Collin Clark Mon, 01/06/2014 - 14:15
User Badges:
  • Purple, 4500 points or more

What does the CLI return after you enter the password foe enable mode? What does it say in logs on the TACACS server?

Correct Answer
Julio Carvajal Mon, 01/06/2014 - 17:04
User Badges:
  • Purple, 4500 points or more

HeyRizwan,


What ACS version are you running??


Make sure you defined the username with a static privilege level of 15 otherwise it will not be able to pass the enable authentication.


If ACS 5.x or higher go to the policy elements: Shell Profile and make sure you have one assigned for a static maximum privilege of 15 and most important that its applied into a access-policy rule



Looking for some Networking Assistance? 
Contact me directly at [email protected]

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

rizwan555 Fri, 01/10/2014 - 08:36
User Badges:

Hi,


Thanks for assistance. Issue of login to enable-mode via tacacs+ credential is resolved as per your advice as I have found that as soon I configure ACS User Setup-> Advanced TACACS+ Settings-> Max Privilege for any AAA Client->15 instead of “Use Group Level Setting”(which is privilege 15 anyway) then I can login to the firewall enable-mode via tacacs+, successfully.


Now problem is that if I turn off the ACS, then I can successfully login to the firewall user-mode via fallback local-credentials of below username/ password, but I can only login to the enable-mode via password:user123, I am unable to login to the enable-mode via enable-password i.e password2


Configurations:

username user1 password user123 privilege 15

enable password password2

aaa-server TACACS+ protocol tacacs+               

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (inside) host 10.10.10.10

key abc123


aaa authentication http console TACACS+ LOCAL

aaa authentication ssh console TACACS+ LOCAL

aaa authentication telnet console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+ LOCAL


aaa accounting enable console TACACS+

aaa accounting ssh console TACACS+


Problem:


Test-ASA> en

Password: password2

Password:

Password: user123

Test-ASA#

Correct Answer
Julio Carvajal Fri, 01/10/2014 - 08:52
User Badges:
  • Purple, 4500 points or more

Hello,


Glad to know that I could help (Remember to mark the question as answered as that was the main topic of this ticket)


Now, moving to the new issue.


aaa authentication enable console TACACS+ LOCAL


This basically tells the ASA use the local usermane and password database not the enable password.


If you want to authenticate using the locally configured enabled password just remove

aaa authentication enable console TACACS+ LOCAL


And you will be always authenticating using the locally configured password.


This is different than from an IOS device that provides the option to use the enable database on the router itself when authenticating~



Looking for some Networking Assistance? 
Contact me directly at [email protected]

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

rizwan555 Wed, 02/05/2014 - 06:33
User Badges:

Hi,


I thought I keep the Discussion in same page as it’s very much related to it.


Please advise that timers I have added below are in Cisco best practices or not. Also what the function of below commands, do you recommend me to add it or not.


aaa-server TACACS+ protocol tacacs+

reactivation-mode timed


~~~~~~~~~~~Please advise timers in below aaa commands~~~~~~~~~~~~~~~~~~~~


username user1 password user123 privilege 15

enable password password2

aaa-server TACACS+ protocol tacacs+               

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (inside) host 10.10.10.10

timeout 6

key abc123

aaa-server TACACS+ (inside) host 10.10.20.10

timeout 6

key abc123



aaa authentication http console TACACS+ LOCAL

aaa authentication ssh console TACACS+ LOCAL

aaa authentication telnet console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+ LOCAL


aaa accounting enable console TACACS+

aaa accounting ssh console TACACS+

sreeharsha.kamisetty Thu, 11/17/2016 - 06:34
User Badges:

Hello Rizwan,


thanks for the post, i had a similar situation but tried all the possible solutions. your post was giving me some hope to resolve this issue but not able to find the exact settings on ACS as per your navigation. can you please let me know the version of ACS you figured it out?

ACS User Setup-> Advanced TACACS+ Settings-> Max Privilege for any AAA Client->15 


Regards,

Sreeharsha

Actions

This Discussion

Related Content