cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
809
Views
10
Helpful
7
Replies

AAA problem in ASA

piyush_singh
Level 1
Level 1

Hi All,

I had configured tacacs on ASA but the problem is when i m trying to telnet it it authenticates me with my username & password on ACS but i cant move onto privilege level 15 as configured on ACS. Its asking me for enable password n not taking the password that is on ACS. I have used Shell Authorization for privilege 15. The configuration done on ASA is:

name 172.30.xx.xx ACS-1

name 172.30.yy.yy ACS-2

aaa-server tacacs+ protocol tacacs+

aaa-server tacacs+ host ACS-1

key cisco

aaa-server tacacs+ host ACS-2

key cisco

aaa authentication telnet console tacacs+ LOCAL

aaa authentication telnet console tacacs+ tacacs+

aaa authentication ssh console tacacs+ LOCAL

aaa authentication enable console tacacs+ LOCAL

enable password V3VzjwYzTRfTLwOb encrypted

enable password V3VzjwYzTRfTLwOb encrypted

username piyush password vkCzRtKCaNG.HI6s encrypted privilege 15

username ideanoc password S0qrUlXOHFcX7LCw encrypted privilege 15

Even added my username & password in local database on ASA as on ACS. Still no progress....

Can any one give his suggestion on the same.

Regards,

Piyush

1 Accepted Solution

Accepted Solutions

I'm not asking for shell priv level 15 but enable privilege. That should be set to 15 in acs--->user set up ----> enable options---> Max Privilege for any AAA Client-->15

View solution in original post

7 Replies 7

Jagdeep Gambhir
Level 10
Level 10

Piyush,

ASA do not support exec authorization so you will not fall directly in enable mode the way we do on routers/switches.

http://www.ciscotaccc.com/security/showcase?case=K25224726

But it should let you in using enable password. In acs user set up make sure you have enable password defined and you are using that password.

user set up Edit --->TACACS+ Enable Password and choose option as per your need.

Regards,

~JG

Do rate helpful posts

tried doing the same but that also doesnt helps.

Do i need to give:

aaa accounting command privilege 15 tacacs+

to make it privelege 15

No that command is for accounting.

Make sure you have Max Privilege for any AAA Client is set to 15 in acs group setup.

Do we get any error in failed attempts

Regards,

~JG

Do rate helpful posts

ya all that is done level 15 is set in Shell (exec) in group setup & also in Shell Command Authorization Set provided full access...

N i cant find any logs in failed attempts, but can see authentication passed in passed authentication logs..

The link which you had posted is for IOS ver 7.x but i m using 8.0(3)

Regards,

Piyush

what i m getting on telnet is:

User Access Verification

Username: piyush

Password: **********

Type help or '?' for a list of available commands.

ICL-PUN-PRIDC1-MPLS-5550ASA1> en

Password: **********

Password: **********

Password: **********

Access denied.

ICL-PUN-PRIDC1-MPLS-5550ASA1>

ICL-PUN-PRIDC1-MPLS-5550ASA1>

this might give you some idea.

I'm not asking for shell priv level 15 but enable privilege. That should be set to 15 in acs--->user set up ----> enable options---> Max Privilege for any AAA Client-->15

oh got that.... n that worked man... thanks a lot.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: