Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
716
Views
0
Helpful
2
Replies

Configuring ASA w/8.2(1) to work with ACS 3.3- enable issues.

russelljensen
Level 1
Level 1

‎06-20-2012 11:58 AM - edited ‎03-10-2019 07:12 PM

Hello all-


Having an issue with the ASA devices. Here is the relevant part of the configuration:


<aaa commands>

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (outside) host <host ip>

key <key>

aaa-server TACACS+ (outside) host <host2 ip>

key <key>

aaa authentication ssh console TACACS+ LOCAL

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

aaa authentication http console TACACS+ LOCAL

aaa authorization command TACACS+


The problem is that when we put the devices into the server database, we can use our TACACS+ accounts, but it only lets us into privilege level 1 and does not allow us to go to enable mode at all.


When we remove the devices from the server (thus attempting to fall back to local authentication) we can get in and into enable using the local admin password, but we can't do anything from the enable mode with out getting the 'command authorization failed' message.


We have tried to go into the user definition on the ACS (v3.3) server and set the max privilege to 15, but it doesn't seem to have any affect.


Does anybody have any idea of what is happening?

Labels:
0 Helpful
2 Replies 2

Jatin Katyal
Cisco Employee
Cisco Employee

‎06-20-2012 05:40 PM

What error are you getting on the ASA, access denied? Check the ACS logs under || reports and activities || failed authentication. I'm sure you will be getting "enable privilege is too low".

If that's a case then edit user or group database and set the enable privilege to 15 ( not shell exec privilege).

The Enable Privilege option is set in the TACACS+ Advanced options.

Also, make sure that we're using an enable password defined on the tacacse server under user settings because the enable password authentication is set for TACACS server.

Regards,

Jatin

Do rate helpful posts-

~Jatin
0 Helpful

maldehne
Cisco Employee
Cisco Employee

‎06-22-2012 04:10 AM

well well , i guess you are getting the lovely enable 15 user account on ACS failed attempts for failed authorization.

so cool ha:)

It is the ASA trying to force the authorization using that lovely account , what you need to overcome that is having the enable authentication done against the ACS itself.

By adding the following command on the ASA:

aaa authentication login console TACACS+ local

on the ACS make sure that enable password authentication is enabled for the user.

There you have three options: either you use the same PAP password or spearate one or if you are trying with user

defined on external db with that user password on the external db.

---------------------------------------------------------------------------

Please Don't Forget to rate correct answers

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents