Solved: Why do my firewalls only use the domain username and password for login and enable passwords, not a ...

chris · ‎11-24-2010

Issue:

Cisco firewalls require only one level of password i.e. the domain username and password are used for both logging in as well as reaching global configuration mode.

Background:

We have multiple Cisco network devices set up which authenticate to our Windows domain controller using NPS (Windows 2008 R2). The switches we have set up all function exactly as we would hope as they require your domain username and password to login to the device. They then require a separate password when you use the enable command, this is stored in Active Directory:

Switches:

Username:domain-username

Password:domain-password

SWITCH>enable

Password:enable-password-in-Active-Directory

SWITCH#

Firewalls (as they currently are):

Username:domain-username

Password:domain-password

FIREWALL>enable

Password:domain-password

FIREWALL #

With the firewalls however, they require your domain username and password first, and then your domain password again when using the enable command. I want the firewalls to use the enable level password that the switches currently use instead of the domain password again. The current configuration look like the following:

Current switch configuration:

aaa new-model

aaa authentication login default group radius local

aaa authentication enable default group radius enable

aaa authorization exec default group radius local

aaa session-id common

radius-server host 192.168.0.1 auth-port 1645 acct-port 1646

radius-server source-ports 1645-1646

radius-server key 7 1234abcd

Current firewall configuration:

aaa-server DC01 protocol radius

aaa-server DC01 (outside) host 192.168.0.1

aaa authentication ssh console DC01 LOCAL

aaa authentication enable console DC01 LOCAL

key 1234abcd

Any help would be great, thanks!

heriomortis · ‎11-26-2010

You need to use TACACS+ instead of RADIUS for this.

There you can use command sets in the results section of the policy.

View solution in original post

Eduardo Aliaga · ‎11-24-2010

Cisco ASA works that way by design. You could remove "aaa authentication enable" and then you could use the "enable password" command to set your enable password.

But if you do that, then ASA would change your username to "enable_15". That would break Authorization and Accounting if you're using them. Let me clarify with an example

Firewalls :

Username:domain-username

Password:domain-password

FIREWALL>show curpriv

Username : domain-username
Current privilege level : 1
Current Mode/s : P_UNPR

FIREWALL>enable

Password:enable-password-from-running-config

FIREWALL #show curpriv

Username : enable_15

Current privilege level : 15
Current Mode/s : P_PRIV

If you're using Authorization and Accounting it's recommended to stick with your current behavior.

chris · ‎11-24-2010

Thank's for the reply! That would solve one problem I guess as it would ensure that 2 levels of passwords would need to be used in order to gain enable access to the firewall. It does however defeat the object behind the reasoning I implemented RADIUS in the first place i.e. We have a lot of devices and I wanted to be able to change all of the devices enable passwords at once, and also have the login password change whenever we change our domain password. All this while keeping the security tighter as they require the 2 different passwords...

I can't believe that Cisco would create a device that is used for security, and then make it have one password for change access when you implement RADIUS!

Thank's again!

Eduardo Aliaga · ‎11-24-2010

Glad to help. What you could do is to configure "authorization" , so one group of users could only read the configuration, other group of users to use "vpn" commands, other group of users to configure the firewall and so on.

I highly recommend to use ACS 5.x as your AAA server. It's great when using "authorization" policies and "identity" policies.

Please rate or mark this question as answered so others could benefit from the reponse.

chris · ‎11-25-2010

How could I find out how to do that? Do you have some good documentation I could read or could you perhaps give me an example please. I am busy ready a document on ACS 5.x at the moment. Thanks again!

heriomortis · ‎11-26-2010

You need to use TACACS+ instead of RADIUS for this.

There you can use command sets in the results section of the policy.

yenaungoo · ‎08-13-2011

Hi All, Thanks for posting this topic discussion. I also facing with similar issue.

I am using ACS 5.2 & tacacs for device administration. The problem is I cannot go to enable mode even though I use the correct password. But the funny thing is "I just press Enter and key in the correct password" and then it's ok, I can go to enable mode. How come it cannot go to enable mode directly?

Telnet/SSH to the device, and prompt;

username: test

password:

switch>en

password: << just press enter

Enter old password: <

switch#

Any comment/suggestion is appreciable.

Why do my firewalls only use the domain username and password for login and enable passwords, not a different enable password like my switches do? The RADIUS config looks the same...