11-24-2010 05:00 AM - edited 03-10-2019 05:36 PM
Issue:
Cisco firewalls require only one level of password i.e. the domain username and password are used for both logging in as well as reaching global configuration mode.
Background:
We have multiple Cisco network devices set up which authenticate to our Windows domain controller using NPS (Windows 2008 R2). The switches we have set up all function exactly as we would hope as they require your domain username and password to login to the device. They then require a separate password when you use the enable command, this is stored in Active Directory:
Switches:
Username:domain-username
Password:domain-password
SWITCH>enable
Password:enable-password-in-Active-Directory
SWITCH#
Firewalls (as they currently are):
Username:domain-username
Password:domain-password
FIREWALL>enable
Password:domain-password
FIREWALL #
With the firewalls however, they require your domain username and password first, and then your domain password again when using the enable command. I want the firewalls to use the enable level password that the switches currently use instead of the domain password again. The current configuration look like the following:
Current switch configuration:
aaa new-model
aaa authentication login default group radius local
aaa authentication enable default group radius enable
aaa authorization exec default group radius local
aaa session-id common
radius-server host 192.168.0.1 auth-port 1645 acct-port 1646
radius-server source-ports 1645-1646
radius-server key 7 1234abcd
Current firewall configuration:
aaa-server DC01 protocol radius
aaa-server DC01 (outside) host 192.168.0.1
aaa authentication ssh console DC01 LOCAL
aaa authentication enable console DC01 LOCAL
key 1234abcd
Any help would be great, thanks!
Solved! Go to Solution.
11-26-2010 08:13 AM
You need to use TACACS+ instead of RADIUS for this.
There you can use command sets in the results section of the policy.
11-24-2010 07:34 AM
Cisco ASA works that way by design. You could remove "aaa authentication enable" and then you could use the "enable password" command to set your enable password.
But if you do that, then ASA would change your username to "enable_15". That would break Authorization and Accounting if you're using them. Let me clarify with an example
Firewalls :
Username:domain-username
Password:domain-password
FIREWALL>show curpriv
Username : domain-username
Current privilege level : 1
Current Mode/s : P_UNPR
FIREWALL>enable
Password:enable-password-from-running-config
FIREWALL #show curpriv
Username : enable_15
Current privilege level : 15
Current Mode/s : P_PRIV
If you're using Authorization and Accounting it's recommended to stick with your current behavior.
11-24-2010 07:58 AM
Thank's for the reply! That would solve one problem I guess as it would ensure that 2 levels of passwords would need to be used in order to gain enable access to the firewall. It does however defeat the object behind the reasoning I implemented RADIUS in the first place i.e. We have a lot of devices and I wanted to be able to change all of the devices enable passwords at once, and also have the login password change whenever we change our domain password. All this while keeping the security tighter as they require the 2 different passwords...
I can't believe that Cisco would create a device that is used for security, and then make it have one password for change access when you implement RADIUS!
Thank's again!
11-24-2010 08:16 AM
Glad to help. What you could do is to configure "authorization" , so one group of users could only read the configuration, other group of users to use "vpn" commands, other group of users to configure the firewall and so on.
I highly recommend to use ACS 5.x as your AAA server. It's great when using "authorization" policies and "identity" policies.
Please rate or mark this question as answered so others could benefit from the reponse.
11-25-2010 08:27 AM
How could I find out how to do that? Do you have some good documentation I could read or could you perhaps give me an example please. I am busy ready a document on ACS 5.x at the moment. Thanks again!
11-26-2010 08:13 AM
You need to use TACACS+ instead of RADIUS for this.
There you can use command sets in the results section of the policy.
08-13-2011 11:50 AM
Hi All, Thanks for posting this topic discussion. I also facing with similar issue.
I am using ACS 5.2 & tacacs for device administration. The problem is I cannot go to enable mode even though I use the correct password. But the funny thing is "I just press Enter and key in the correct password" and then it's ok, I can go to enable mode. How come it cannot go to enable mode directly?
Telnet/SSH to the device, and prompt;
username: test
password:
switch>en
password: << just press enter
Enter old password: <
switch#
Any comment/suggestion is appreciable.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: