Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
16935
Views
5
Helpful
12
Replies

ACS - ASA Authorization and Accounting

Go to solution
eng.malak
Level 1
Level 1

‎06-25-2012 03:02 PM - edited ‎03-10-2019 07:14 PM

Hi

I have some questions regarding authorization and accounting on ASA via ACS server

    1. when I enable the command "aaa authorization       command " to control SSH users commands  I get locked out on       console then i have to configure the console , telnet , and enable to be       authenticated via tacacs too , is there any way to authorize SSH via       tacacs while keeping Console and telnet authenticated locally or even no       authentication ?
    2. i issued  accounting command "aaa accounting       command TAC" on ASA but i noticed that the ACS just logs commands in       configuration mod "privilege 15 " not any show command or       privilege 1 , is there any way to fix this ?
    3. does RADIUS support SHELL authorization ?

thanks for your support

Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎06-26-2012 05:07 AM

1.] Unfortunately, there currently isn't any way to exclude command authorization from the  serial/ console or ssh users while having it apply to other access methods in case of ASA. Once you issue this command, it would be applicable for ALL methods like ssh,telnet,enable,http and console. This can be easily achieved in IOS (routers and switches) by creating a method list.

2.] When you configure the aaa accounting command command, each command other than  show commands entered by an administrator is recorded and sent to the accounting server or servers. This is a default behaviour on ASA. IOS does send/record all show commands on ACS/Tacacs.

http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a1.html

Regards,

Jatin

Do rate helpful posts-

~Jatin

View solution in original post

Go to solution
Omdatta pawar
Level 1
Level 1

‎07-29-2012 11:28 PM

When you login on the device using console , the console user is "enable_15", if your console is lock due to authorization. Create user "enable_15" on ACS server with level 15 access. Also create a eanable_15 as local user too. This is way u will be able to access the device through console, no matter ACS is availabel or not.

View solution in original post

0 Helpful
12 Replies 12

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni

‎06-25-2012 11:36 PM

Hi,

1-)

You allow your username (or your group) full access in authorization in ACS server. Then you can fully configure your device. After finishing the device you can restrict access back to same user or group.

Do not use the comand "aaa authorization console".

Make sure that the configuration under the "line console 0" is no configured for AAA.

2-)

make sure to configure all levels for accounting.

aaa cccounting comands 0 start-stop group

aaa cccounting comands 1 start-stop group

aaa cccounting comands 15 start-stop group

I think so far you only applied level 15.

3-)

RADIUS does not support shell authorization. This is only supported via TACACS+.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
eng.malak
Level 1
Level 1
In response to Amjad Abdullah

‎06-25-2012 11:44 PM

Thanks Amjad for your reply

regarding point 1&2 i meant the authorization and accounting on the ASA not the IOS , thanks for point 3

0 Helpful

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to eng.malak

‎06-25-2012 11:54 PM

Yup I understand it is on ASA. I never worked with ASA but I think they are almost the same from command line and you can access console and vty lines, no?

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
eng.malak
Level 1
Level 1
In response to Amjad Abdullah

‎06-25-2012 11:59 PM

Unfortunately no , authorization is totally diffrent on ASA .

0 Helpful

Go to solution
Amjad Abdullah
VIP Alumni
VIP Alumni
In response to eng.malak

‎06-26-2012 12:17 AM

Sorry for that.

Looking for the config guides I found that you may locally in ASA apply authorization levels to the users authenticating via local DB or via radius!

Here is the link. I hope you find it useful:  http://www.cisco.com/en/US/docs/security/asa/asa81/config/guide/mgaccess.html#wp1072168

Provide necessary level to the user you are logging with so that enablign authorization still authorize you with the commands you need.

HTH

Amjad

Rating useful replies is more useful than saying "Thank you"
0 Helpful

Go to solution
Kn1ghtR1d3rOfD00m
Level 1
Level 1
In response to eng.malak

‎04-01-2017 05:07 PM

hey eng.malak, 

were the steps above by creating a locallly user on the asa solved the problem? I have the same problem. havent tried yet, but I will do it on Monday.

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎06-26-2012 05:07 AM

1.] Unfortunately, there currently isn't any way to exclude command authorization from the  serial/ console or ssh users while having it apply to other access methods in case of ASA. Once you issue this command, it would be applicable for ALL methods like ssh,telnet,enable,http and console. This can be easily achieved in IOS (routers and switches) by creating a method list.

2.] When you configure the aaa accounting command command, each command other than  show commands entered by an administrator is recorded and sent to the accounting server or servers. This is a default behaviour on ASA. IOS does send/record all show commands on ACS/Tacacs.

http://www.cisco.com/en/US/docs/security/asa/asa81/command/ref/a1.html

Regards,

Jatin

Do rate helpful posts-

~Jatin

Go to solution
eng.malak
Level 1
Level 1
In response to Jatin Katyal

‎10-10-2012 04:07 AM

hi

i configure the ASA as below but still ACS doesn't log for priv.1 commands m any idea ?

aaa authentication telnet console TAC

aaa authentication serial console TAC

aaa authentication enable console TAC

aaa authorization command TAC

aaa accounting telnet console TAC

aaa accounting command TAC

aaa accounting enable console TAC

aaa authorization exec authentication-server

0 Helpful

Go to solution
Omdatta pawar
Level 1
Level 1
In response to Jatin Katyal

‎10-10-2012 04:31 AM

create user on ASA with level 15 access, by default ASA create user with level 7 access.

And apply a below command on ASA

aaa-server TAC protocol tacacs+

aaa-server TAC (outside) host

aaa-server TAC (outside) host

aaa authentication ssh console TAC LOCAL

aaa authentication enable console TAC LOCAL

aaa authentication http console TAC LOCAL

aaa authorization command TAC LOCAL

aaa accounting ssh console TAC

aaa accounting enable console TAC

aaa accounting command TAC

0 Helpful

Go to solution
eng.malak
Level 1
Level 1
In response to Omdatta pawar

‎10-10-2012 04:42 AM

i'm sure that i'm useing priv.15 user as below

ASA1# sh curpriv

Username : fwuser1

Current privilege level : 15

Current Mode/s : P_PRIV

ASA1#

but unfortunately still not working

0 Helpful

Go to solution
Omdatta pawar
Level 1
Level 1
In response to Omdatta pawar

‎10-10-2012 04:53 AM

user  "fwuser1" is tacacs or local user?

Check is tacacs rechable?

0 Helpful

Go to solution
Omdatta pawar
Level 1
Level 1

‎07-29-2012 11:28 PM

When you login on the device using console , the console user is "enable_15", if your console is lock due to authorization. Create user "enable_15" on ACS server with level 15 access. Also create a eanable_15 as local user too. This is way u will be able to access the device through console, no matter ACS is availabel or not.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents