Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA System Context AAA authentication enable

Hello!

We have ASA configured in multi context mode, with software 8.4(2) configured for AAA

Configuration is admin context as follows:

aaa-server TAC protocol tacacs+

aaa-server TAC (management) host 10.162.2.201

key *****

aaa authentication enable console TAC LOCAL

aaa authentication http console TAC LOCAL

aaa authentication serial console TAC LOCAL

aaa authentication ssh console TAC LOCAL

Because of multiple context, after logging in we enter System context. Console port authentication is working fine except access to privileged mode while connecting over console port.

After issuing "enable" command ASA accepts only configured enable secret in system context and changes user ID to enable_15, so we are unable to do user-level command authorization and accounting.

It seems that ASA in system context is not aware of any AAA configuration, and there isn't any command to configure AAA in system context.

Is there any way to configure enable authentication over AAA in system context?

Thanks in advance!

2 ACCEPTED SOLUTIONS

Accepted Solutions
Silver

ASA System Context AAA authentication enable

Hello,

It seems that you are hitting the following known issue:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsw18455

admin context enable mode credentials compared to system context DB


Symptom:

In multi-mode configuration, user credentials for entering privileged mode
(enable mode) via serial console are not sent to external server for
authentication purpose.

Conditions:

ASA/PIX is in multi-mode. serial console and enable console authentication
are configured to use external aaa server in admin context.

Workaround:

Option 1: Configure enable password in system context.

Option 2: Avoid the use of the serial console interface and rely on telnet
or ssh console access.  From ssh or telnet consoles, attempts to enter
enabled mode will be authenticated as specified by the aaa configuration in
the "admin" context.


Further Problem Description:

When authentication is enabled for serial console and for enable console in
admin context via an external aaa server(eg: tacacs+ or radius), serial
console authentcation is done against external aaa server, but enable mode
credentials are compared against enable db in system context.

Hope this clarifies it. Unfortunately there is no fix yet for this behavior.

Regards.

Silver

ASA System Context AAA authentication enable

Hello,

I am glad that the workaround worked for you. If you feel that the accurate answer was provided please mark the thread as answered for future reference for our Community members.

Regards.

3 REPLIES
Silver

ASA System Context AAA authentication enable

Hello,

It seems that you are hitting the following known issue:

http://tools.cisco.com/Support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsw18455

admin context enable mode credentials compared to system context DB


Symptom:

In multi-mode configuration, user credentials for entering privileged mode
(enable mode) via serial console are not sent to external server for
authentication purpose.

Conditions:

ASA/PIX is in multi-mode. serial console and enable console authentication
are configured to use external aaa server in admin context.

Workaround:

Option 1: Configure enable password in system context.

Option 2: Avoid the use of the serial console interface and rely on telnet
or ssh console access.  From ssh or telnet consoles, attempts to enter
enabled mode will be authenticated as specified by the aaa configuration in
the "admin" context.


Further Problem Description:

When authentication is enabled for serial console and for enable console in
admin context via an external aaa server(eg: tacacs+ or radius), serial
console authentcation is done against external aaa server, but enable mode
credentials are compared against enable db in system context.

Hope this clarifies it. Unfortunately there is no fix yet for this behavior.

Regards.

New Member

ASA System Context AAA authentication enable

Hi

Thanks for the info.

I have used the refred workarround

Thanks for the info

Silver

ASA System Context AAA authentication enable

Hello,

I am glad that the workaround worked for you. If you feel that the accurate answer was provided please mark the thread as answered for future reference for our Community members.

Regards.

2736
Views
10
Helpful
3
Replies
CreatePlease login to create content