06-20-2012 11:58 AM - edited 03-10-2019 07:12 PM
Hello all-
Having an issue with the ASA devices. Here is the relevant part of the configuration:
<aaa commands>
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (outside) host <host ip>
key <key>
aaa-server TACACS+ (outside) host <host2 ip>
key <key>
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console LOCAL
aaa authentication serial console LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authorization command TACACS+
The problem is that when we put the devices into the server database, we can use our TACACS+ accounts, but it only lets us into privilege level 1 and does not allow us to go to enable mode at all.
When we remove the devices from the server (thus attempting to fall back to local authentication) we can get in and into enable using the local admin password, but we can't do anything from the enable mode with out getting the 'command authorization failed' message.
We have tried to go into the user definition on the ACS (v3.3) server and set the max privilege to 15, but it doesn't seem to have any affect.
Does anybody have any idea of what is happening?
06-20-2012 05:40 PM
What error are you getting on the ASA, access denied? Check the ACS logs under || reports and activities || failed authentication. I'm sure you will be getting "enable privilege is too low".
If that's a case then edit user or group database and set the enable privilege to 15 ( not shell exec privilege).
The Enable Privilege option is set in the TACACS+ Advanced options.
Also, make sure that we're using an enable password defined on the tacacse server under user settings because the enable password authentication is set for TACACS server.
Regards,
Jatin
Do rate helpful posts-
06-22-2012 04:10 AM
well well , i guess you are getting the lovely enable 15 user account on ACS failed attempts for failed authorization.
so cool ha:)
It is the ASA trying to force the authorization using that lovely account , what you need to overcome that is having the enable authentication done against the ACS itself.
By adding the following command on the ASA:
aaa authentication login console TACACS+ local
on the ACS make sure that enable password authentication is enabled for the user.
There you have three options: either you use the same PAP password or spearate one or if you are trying with user
defined on external db with that user password on the external db.
---------------------------------------------------------------------------
Please Don't Forget to rate correct answers
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: