Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

Configuring ASA w/8.2(1) to work with ACS 3.3- enable issues.

Hello all-


Having an issue with the ASA devices. Here is the relevant part of the configuration:


<aaa commands>

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ (outside) host <host ip>

key <key>

aaa-server TACACS+ (outside) host <host2 ip>

key <key>

aaa authentication ssh console TACACS+ LOCAL

aaa authentication enable console LOCAL

aaa authentication serial console LOCAL

aaa authentication http console TACACS+ LOCAL

aaa authorization command TACACS+


The problem is that when we put the devices into the server database, we can use our TACACS+ accounts, but it only lets us into privilege level 1 and does not allow us to go to enable mode at all.


When we remove the devices from the server (thus attempting to fall back to local authentication) we can get in and into enable using the local admin password, but we can't do anything from the enable mode with out getting the 'command authorization failed' message.


We have tried to go into the user definition on the ACS (v3.3) server and set the max privilege to 15, but it doesn't seem to have any affect.


Does anybody have any idea of what is happening?

2 REPLIES
Cisco Employee

Re: Configuring ASA w/8.2(1) to work with ACS 3.3- enable issues

What error are you getting on the ASA, access denied? Check the ACS logs under || reports and activities || failed authentication. I'm sure you will be getting "enable privilege is too low".

If that's a case then edit user or group database and set the enable privilege to 15 ( not shell exec privilege).

The Enable Privilege option is set in the TACACS+ Advanced options.

Also, make sure that we're using an enable password defined on the tacacse server under user settings because the enable password authentication is set for TACACS server.

Regards,

Jatin

Do rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
Cisco Employee

Re: Configuring ASA w/8.2(1) to work with ACS 3.3- enable issues

well well , i guess you are getting the lovely enable 15 user account on ACS failed attempts for failed authorization.

so cool ha:)

It is the ASA trying to force the authorization using that lovely account , what you need to overcome that is having the enable authentication done against the ACS itself.

By adding the following command on the ASA:

aaa authentication login console TACACS+ local

on the ACS make sure that enable password authentication is enabled for the user.

There you have three options: either you use the same PAP password or spearate one or if you are trying with user

defined on external db with that user password on the external db.

---------------------------------------------------------------------------

Please Don't Forget to rate correct answers

443
Views
0
Helpful
2
Replies
CreatePlease login to create content