cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1185
Views
0
Helpful
9
Replies

enabling aaa authorization on pix/asa

jackleung
Level 1
Level 1

I managed to get authentication on easy enough but now am having difficulty getting authorization to work properly. I have auth/author turned on for my IOS stuff so any techs logged in will have rights based on what I give them on secure ACS. However I can't get the same to work on PIX code. I can log in fine with aa authentication but it still prompts me for the enable password. End result is I want to be able to login just once (and enabled). Any white papers that can point me the right way?

1 Accepted Solution

Accepted Solutions

Hi,

What you want to do, can be accomplished, try following instructions in the PDF file attached.

And as you want to give ASDM access, then make sure that you let support user have privilege to run all show commands, i.e. show----(check) permit unmatched arguments.

Let me know.

Regards,

Prem

View solution in original post

9 Replies 9

Premdeep Banga
Level 7
Level 7

Hi,

PIX/ASA works in a different way then IOS devices does.

what you seek is not possible. We do not have something as EXEC authorization on PIX/ASA, so we cannot go directly into enable/privileged mode.

Reason for this is, Under normal circumstances, the AAA server could reply to the initial authentication/authorization request with "priv-lvl", and the users session would assume this level, without having to enter and additional commands (like ).

But such feature is not available on PIX/ASA.

Regards,

Prem

Thank you, Prem. here is my concern. When I enable AAA access on the firewalls, from what you said there is no way for me to govern what rights a tech has when accessing the device? I want to establish the same restrictions as the IOS gear I have where normal techs will only have certain commands and others have full command. The way it is now, anyone with an account on Secure ACS can access it via ASDM.

EDIT:

Also I'm a little confused about the various fields on the AAA Access (from Device Access) tab. In Authentication, there is an option to toggle to require auth to be able to use enable mode. I am not sure how this auth against our ACS server (i checked the various settings in ACS and enabled what I think are all PIX commands to permit enable) and it doesn't work. I entere the enable password when I telnet in and I get auth failed when running any commands.

Also there is an Authorization tab which I am assuming allows to you to push down rights from an aaa server? Where on the ACS can I configure that?

Hi,

What you want to do, can be accomplished, try following instructions in the PDF file attached.

And as you want to give ASDM access, then make sure that you let support user have privilege to run all show commands, i.e. show----(check) permit unmatched arguments.

Let me know.

Regards,

Prem

Thank you. Unfortunately not working as well. I checked the logs on the SecureACS and it seems to be using the enable_15 account to do commands instead of my user account.

Hi,

Are you sure that you have entered the exact same command as in PDF?

Can you send me the sh run?

Regards,

Prem

EDIT: Nevermind, I missed this command:

aaa authentication enable console aaa-server group

It works now!

Thanks!

Hi, I have tried this exact setup, and on every PIX/ASA I encountered Console problems. I am not able to login via the console at all, it keeps prompting for username and rejects whatever user I throw at it. I can ssh and HTTPs OK the way I want to, but in order to get console to work, I have to disable the authorization command.

aaa authentication http console Tacacs+ LOCAL

aaa authentication ssh console Tacacs+ LOCAL

aaa authentication serial console Tacacs+ LOCAL

aaa authentication enable console Tacacs+ LOCAL

aaa authorization command Tacacs+ LOCAL

So I wind up setting just the ssh to use Tacacs, and leave off the authorization. Users can log in, but need to know the enable password to go further.

EDIT: I forgot to add, if I set aaa authentication serial console LOCAL, I can log in as local user, but not into enable mode.

I found the problem, stupid tacacs server! We have a home grown Linux server that we use for Tacacs. What I found was the console was sending the requests to the server, and getting rejected. The reason being the console sends 0.0.0.0 as it's IP address. Some of the security I built into the Tacacs+ server to stop attacks was an ACL, if you arent on the ACL you will not get authenticated, even if your user/password are correct. I added 0.0.0.0 without a subnet mask and it worked. I have a second default ACL with 0.0.0/0 for testing and that one did not work either, it specifically needed 0.0.0.0. Stupid tacacs.

Hi, I also did same configuration but, when we lose connection to tacacs it does not return to enable credentials, ie it does not except the enable password configured at local database. does anyone know the reason and to make it work as configured.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: