Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
951
Views
0
Helpful
1
Replies

enable authentication for ASA

fernando.vs
Level 1
Level 1

‎08-06-2010 07:44 AM - edited ‎03-10-2019 05:18 PM

hi,

Im working on AAA authentication for an ASA (ASA 8.0(3) version) box thorough a TACACS+ server in ACS (4.2 version). The setup im working on includes several users in 3 classes: senior (privilege level 15), junior (privilege level 7) and monitoring (privilege level 0), user authentication and command authorization is working fine, however im having problems with enable authentication.

When an user of junior class try to authenticate the enable password the authentication fails, according to the ACS's log "Tacacs+ enable privilege too low", however the privilege level in ACS for this class is set to level 7. Checking with a sniffer i have find out that the TACACS+ message for authentication sent by ASA is setting the privilege level as level 15, as you can see in the attached screenshot. Of course if the ASA is trying to authenticate enable for a level 15, the authentication will fail according to user's current level.I have local authentication configured in the ASA and it works fine including enable authentication.

Anyone have had any issue with this or have any idea how resolve this issue?

thanks all for your replies.

Labels:
Preview file
241 KB
0 Helpful
1 Reply 1

rochopra
Cisco Employee
Cisco Employee

‎08-11-2010 05:16 AM

Seems like you might be hitting bug CSCsh66748.

Hope you have tried "enable " command to enter enable mode for specific users.

BTW why are you using different privileges for enable when you already have command authorization in place.

Regards

Rohit

0 Helpful
Customers Also Viewed These Support Documents