I'm using CSACS v3.1 for Windows and several Cisco switches, routers and a PIX.
Below is the AAA config I'm using on the NASs. It works great if I telnet to the NAS, (I get a Username/PW prompt, and drop into "Privledged Mode") If I Console into the same NAS it drops me into "User Mode" I can type enable and use the enable secret password to get to "Privledged Mode" but that's not right! Is it NAS or ACS configuration problem?
Switches and Routers
aaa authentication login default group tacacs+ line
aaa authorization exec default group tacacs+ if-authenticated
aaa authorization commands 1 default group tacacs+ if-authenticated
aaa authorization commands 15 default group tacacs+ if-authenticated
ip tacacs source-interface Loopback0 (ON ROUTERS ONLY)
tacacs-server host x.x.x.x
tacacs-server key ***********
aaa-server TACSERVER protocol tacacs+
aaa-server TACSERVER (inside) host x.x.x.x ******** timeout 5
aaa authentication ssh console TACSERVER
aaa authentication telnet console TACSERVER
In IOS routers, authorization is turned off on the console by default. You have to turn it on with the hidden command:
> aaa authorization console
This was done cause many people were locking themselves out and had no way back in, so they designed the console as a back-door. Make sure your authorization is working properly before enabling it on the console.
On the PIX, you need the command:
> aaa authentication serial console TACSERVER
See http://www.cisco.com/warp/public/110/authtopix.shtml#enableauth for further details.
Thanks, the IOS routers and switches worked great! But the PIX command didn't work, if you login through the console, you are only in "User Mode" not "Enable Mode" Anything else I can try?
Sorry, there's no authorization for the console on a PIX, only for traffic going through the PIX. The command I gave you should at least get you prompted for a username/password, but that's all you're going to be able to do.
Are you saying there is no way to authenticate all the way to the PIX's "Privileged Mode" when using Cisco Secure ACS, like on Cisco IOS routers?
Unlike router there is no way you will be taken to the privilege mode on the PIX firewall even if you define the priv-lvl 15 on the ACS. This is true for both console/telnet. Console authentication and the authorization (rather command authorization) work the same way as telnet on PIX. The difference between pix and router is, you have to have a seperate enable password to go to the enable mode (doesn't take you to enable mode directly) on pix. In the case of tacacs+, you need to define a seperate enable password on ACS with appropriate priv-lvl access to PIX (as nas) for enable authentication to work. This priv-lvl to PIX (as NAS) is the level of authorization user will get on the PIX after going to the enable mode. Radius uses the same password for first login and enable access (but you still need to enter the password twice - one is for first login and then for enable access). There is no concept of authorization (command authorization) with radius on the PIX.
I hope it clears up the confusion. Thanks,
I'm trying to do the same thing on our routers, use ACS 3.1 to authenticate and take the user straight to a "priviledged mode". I've used the same config as you but I still get prompted for the "enable" password. Have you done anything specific in ACS or the router to enble this?
Thanks in advance.
It should work with ACS 3.1. I am assuming that you are using tacacs+ to do that, please make sure that shell/Exec is checked and you assign the priv level to 2-15 on your ACS user or group profile.. Without this setup on ACS it will not take you directly to the enable mode. On the router all it requires the following lines:
aaa authentication login default group tacacs+ local
aaa authorization exec default group tacacs+ local
I am trying the same on the pix. I know from the previous trial that we cannot fo to priviledge mode directly in pix. Is there any change of behaviour in pix 6.3