ASA local login account w/ radius server

Answered Question
Feb 28th, 2014
User Badges:

I have my ASA configured with a local account and it points to a radius server acting as a 2 factor token server. I can't get the local account to work if the ASA sees the radius server active. I can get this to work on any Cisco router or switch.


Anyone know how to of this ?


Ron


Sent from Cisco Technical Support iPhone App

Correct Answer by Jatin Katyal about 3 years 5 months ago

Hi Ronald,

I was looking around for a document on your query regarding ASA local databse. However there is no specific document on this.

The only thing I could find is the below listed link but I guess you've already read that.

The local database supports the following fallback functions:

Console and enable password authentication—If the servers in the group are all unavailable, the ASA uses the local database to authenticate administrative access, which can also include enable password authentication.

Command authorization—If the TACACS+ servers in the group are all unavailable, the local database is used to authorize commands based on privilege levels.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/gu...

 

~BR

Jatin Katyal

**Do rate helpful posts**

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Jatin Katyal Sat, 03/01/2014 - 12:34
User Badges:
  • Cisco Employee,

Ronald,


I'm unsure how on the ASA the local account is working while radius is up and running. However on the switces/routers, you may use the below listed command. Use this command with the local method keyword to specify first so that the Cisco IOS will use the local username database for authentication at the first place. If the username will not be there then it would query the radius server.


(config)#aaa authentication login default local group radius


Make the local first for authorization also if required.


Before you execute the above command please create a local username/password with suitable privileges on the IOS (should be level 15 for admin).



~BR
Jatin Katyal


**Do rate helpful posts**

Ronald Nutter Sat, 03/01/2014 - 13:03
User Badges:

The ASA is what I am asking about.  I have the local account working with the routers and switches.  That hasnt been a  problem.  ASA's are a little different.  In the past, as soon as the ASA sees a radius or tacacs host, it wont use the local account anymore until the radius or tacacs server it has been configured for are not responding.


What I am looking for is any configuration that anyone has used on a ASA that allows the local account to continue to be used EVEN IF a radius or tacacs server has been configured for authentication.  I ahve a manager swearing he has done this in the past but has yet to produce a configuration that substantiates this

Jatin Katyal Sat, 03/01/2014 - 15:26
User Badges:
  • Cisco Employee,

I don't think this can be done on asa.



~BR
Jatin Katyal

**Do rate helpful posts**

Ronald Nutter Sat, 03/01/2014 - 15:38
User Badges:

That is what I am expecting to find.  My manager wants to see something in print from Cisco saying this wont work.  You just cant please some people.  I have been looking over the latest code version for the ASA and dont see anything different here.


The only thing I can see is the drop the timeout interval as low as possible to get a failed aaa server to be unused as soon as possible.  Havent been able to find anything more promising than that.


Ron

Jatin Katyal Mon, 03/03/2014 - 09:50
User Badges:
  • Cisco Employee,

Ronald,


I can understand. Let me dig and see if I can find out something on this matter.



~BR
Jatin Katyal

**Do rate helpful posts**

Ronald Nutter Mon, 03/03/2014 - 16:16
User Badges:

Thanks for the help on this.  I have tried this up to and including ver 9.1 on the ASA.  As long as it sees an active auth server whether it is radius or tacacs, the local account cant be used until the auth server the configuration for isnt active. 


You can do this on a router or switch IOS but not on the ASA. It would be nice if you could consistently do it across all platforms.


Ron

Correct Answer
Jatin Katyal Sat, 03/08/2014 - 20:18
User Badges:
  • Cisco Employee,

Hi Ronald,

I was looking around for a document on your query regarding ASA local databse. However there is no specific document on this.

The only thing I could find is the below listed link but I guess you've already read that.

The local database supports the following fallback functions:

Console and enable password authentication—If the servers in the group are all unavailable, the ASA uses the local database to authenticate administrative access, which can also include enable password authentication.

Command authorization—If the TACACS+ servers in the group are all unavailable, the local database is used to authorize commands based on privilege levels.

http://www.cisco.com/c/en/us/td/docs/security/asa/asa84/configuration/gu...

 

~BR

Jatin Katyal

**Do rate helpful posts**

Ronald Nutter Mon, 03/10/2014 - 06:35
User Badges:

Thanks for your help on this.  Unfortunately my manager still insists that this can be done.

Yes I have read the document that you listed and several others.  I have worked with ASA's for 10 years now and never had this work any other way than what I have found.

Thanks,

Ron

kaaftab Mon, 03/03/2014 - 00:31
User Badges:
  • Silver, 250 points or more

wel the basic authentication method remains the same through out the cisco devices but it would be better if you can share the configuration with us

Ronald Nutter Mon, 03/03/2014 - 16:20
User Badges:

I will have to respectfully disagree with you.  While you can have a local account and use it on routers and switches while a authentication server is active, the same it not the case on the ASA. 


I have yet to find a AAA configuration available from Cisco's website or any other that allows the local account to be active at the same time there is a AAA server is active.


I have tried all of the configurations available from several tech notes/pubs on Cisco's website and havent found a configuration that will do this on the ASA.

Actions

This Discussion