Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

AAA problem in ASA

Hi All,

I had configured tacacs on ASA but the problem is when i m trying to telnet it it authenticates me with my username & password on ACS but i cant move onto privilege level 15 as configured on ACS. Its asking me for enable password n not taking the password that is on ACS. I have used Shell Authorization for privilege 15. The configuration done on ASA is:

name 172.30.xx.xx ACS-1

name 172.30.yy.yy ACS-2

aaa-server tacacs+ protocol tacacs+

aaa-server tacacs+ host ACS-1

key cisco

aaa-server tacacs+ host ACS-2

key cisco

aaa authentication telnet console tacacs+ LOCAL

aaa authentication telnet console tacacs+ tacacs+

aaa authentication ssh console tacacs+ LOCAL

aaa authentication enable console tacacs+ LOCAL

enable password V3VzjwYzTRfTLwOb encrypted

enable password V3VzjwYzTRfTLwOb encrypted

username piyush password vkCzRtKCaNG.HI6s encrypted privilege 15

username ideanoc password S0qrUlXOHFcX7LCw encrypted privilege 15

Even added my username & password in local database on ASA as on ACS. Still no progress....

Can any one give his suggestion on the same.

Regards,

Piyush

1 ACCEPTED SOLUTION

Accepted Solutions

Re: AAA problem in ASA

I'm not asking for shell priv level 15 but enable privilege. That should be set to 15 in acs--->user set up ----> enable options---> Max Privilege for any AAA Client-->15

7 REPLIES

Re: AAA problem in ASA

Piyush,

ASA do not support exec authorization so you will not fall directly in enable mode the way we do on routers/switches.

http://www.ciscotaccc.com/security/showcase?case=K25224726

But it should let you in using enable password. In acs user set up make sure you have enable password defined and you are using that password.

user set up Edit --->TACACS+ Enable Password and choose option as per your need.

Regards,

~JG

Do rate helpful posts

New Member

Re: AAA problem in ASA

tried doing the same but that also doesnt helps.

Do i need to give:

aaa accounting command privilege 15 tacacs+

to make it privelege 15

Re: AAA problem in ASA

No that command is for accounting.

Make sure you have Max Privilege for any AAA Client is set to 15 in acs group setup.

Do we get any error in failed attempts

Regards,

~JG

Do rate helpful posts

New Member

Re: AAA problem in ASA

ya all that is done level 15 is set in Shell (exec) in group setup & also in Shell Command Authorization Set provided full access...

N i cant find any logs in failed attempts, but can see authentication passed in passed authentication logs..

The link which you had posted is for IOS ver 7.x but i m using 8.0(3)

Regards,

Piyush

New Member

Re: AAA problem in ASA

what i m getting on telnet is:

User Access Verification

Username: piyush

Password: **********

Type help or '?' for a list of available commands.

ICL-PUN-PRIDC1-MPLS-5550ASA1> en

Password: **********

Password: **********

Password: **********

Access denied.

ICL-PUN-PRIDC1-MPLS-5550ASA1>

ICL-PUN-PRIDC1-MPLS-5550ASA1>

this might give you some idea.

Re: AAA problem in ASA

I'm not asking for shell priv level 15 but enable privilege. That should be set to 15 in acs--->user set up ----> enable options---> Max Privilege for any AAA Client-->15

New Member

Re: AAA problem in ASA

oh got that.... n that worked man... thanks a lot.

244
Views
10
Helpful
7
Replies