Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

Cisco ASA TACACS+ enable mode not working

Hi,

I am configuring the ASA 8.4 with TACACS with below CLI configurations, I can only successfully login to the USER MODE of the ASA via TACACS, but unable to get to the enable mode of the ASA via TACACS. Also ASA is not falling to local enable password either.

Also I can successfully run the "test aaa authentication TACACS+ username abc password password1"

INFO: Authentication Successful

From same ACS TACACS works for both user mode and enable mode for routers/ switches.

Current ASA CLI

~~~~~~~~~~~~~

username [ENTER USERNAME HERE] password [ENTER ADMIN PASSWORD HERE] privilege 15

enable password [ENTER ENABLE MODE PASSWORD HERE]

aaa-server TACACS+ protocol tacacs+

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (inside) host [ENTER TACACS+ SERVER IP ADDRESS HERE] [ENTER SECRET KEY HERE] timeout 10

aaa authentication http console TACACS+ LOCAL

aaa authentication ssh console TACACS+ LOCAL

aaa authentication telnet console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+ LOCAL

aaa accounting enable console TACACS+

aaa accounting ssh console TACACS+

Everyone's tags (3)
2 ACCEPTED SOLUTIONS

Accepted Solutions

Cisco ASA TACACS+ enable mode not working

HeyRizwan,

What ACS version are you running??

Make sure you defined the username with a static privilege level of 15 otherwise it will not be able to pass the enable authentication.

If ACS 5.x or higher go to the policy elements: Shell Profile and make sure you have one assigned for a static maximum privilege of 15 and most important that its applied into a access-policy rule

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

Re: Cisco ASA TACACS+ enable mode not working

Hello,

Glad to know that I could help (Remember to mark the question as answered as that was the main topic of this ticket)

Now, moving to the new issue.

aaa authentication enable console TACACS+ LOCAL

This basically tells the ASA use the local usermane and password database not the enable password.

If you want to authenticate using the locally configured enabled password just remove

aaa authentication enable console TACACS+ LOCAL

And you will be always authenticating using the locally configured password.

This is different than from an IOS device that provides the option to use the enable database on the router itself when authenticating~

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
6 REPLIES

Cisco ASA TACACS+ enable mode not working

What does the CLI return after you enter the password foe enable mode? What does it say in logs on the TACACS server?

Cisco ASA TACACS+ enable mode not working

HeyRizwan,

What ACS version are you running??

Make sure you defined the username with a static privilege level of 15 otherwise it will not be able to pass the enable authentication.

If ACS 5.x or higher go to the policy elements: Shell Profile and make sure you have one assigned for a static maximum privilege of 15 and most important that its applied into a access-policy rule

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Re: Cisco ASA TACACS+ enable mode not working

Hi,

Thanks for assistance. Issue of login to enable-mode via tacacs+ credential is resolved as per your advice as I have found that as soon I configure ACS User Setup-> Advanced TACACS+ Settings-> Max Privilege for any AAA Client->15 instead of “Use Group Level Setting”(which is privilege 15 anyway) then I can login to the firewall enable-mode via tacacs+, successfully.

Now problem is that if I turn off the ACS, then I can successfully login to the firewall user-mode via fallback local-credentials of below username/ password, but I can only login to the enable-mode via password:user123, I am unable to login to the enable-mode via enable-password i.e password2

Configurations:

username user1 password user123 privilege 15

enable password password2

aaa-server TACACS+ protocol tacacs+               

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (inside) host 10.10.10.10

key abc123

aaa authentication http console TACACS+ LOCAL

aaa authentication ssh console TACACS+ LOCAL

aaa authentication telnet console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+ LOCAL

aaa accounting enable console TACACS+

aaa accounting ssh console TACACS+

Problem:

Test-ASA> en

Password: password2

Password:

Password: user123

Test-ASA#

Re: Cisco ASA TACACS+ enable mode not working

Hello,

Glad to know that I could help (Remember to mark the question as answered as that was the main topic of this ticket)

Now, moving to the new issue.

aaa authentication enable console TACACS+ LOCAL

This basically tells the ASA use the local usermane and password database not the enable password.

If you want to authenticate using the locally configured enabled password just remove

aaa authentication enable console TACACS+ LOCAL

And you will be always authenticating using the locally configured password.

This is different than from an IOS device that provides the option to use the enable database on the router itself when authenticating~

Looking for some Networking Assistance? 
Contact me directly at jcarvaja@laguiadelnetworking.com

I will fix your problem ASAP.

Cheers,

Julio Carvajal Segura
http://laguiadelnetworking.com

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC
Community Member

Re: Cisco ASA TACACS+ enable mode not working

Hi,

I thought I keep the Discussion in same page as it’s very much related to it.

Please advise that timers I have added below are in Cisco best practices or not. Also what the function of below commands, do you recommend me to add it or not.

aaa-server TACACS+ protocol tacacs+

reactivation-mode timed


~~~~~~~~~~~Please advise timers in below aaa commands~~~~~~~~~~~~~~~~~~~~

username user1 password user123 privilege 15

enable password password2

aaa-server TACACS+ protocol tacacs+               

aaa-server TACACS+ max-failed-attempts 3

aaa-server TACACS+ deadtime 10

aaa-server TACACS+ (inside) host 10.10.10.10

timeout 6

key abc123

aaa-server TACACS+ (inside) host 10.10.20.10

timeout 6

key abc123

aaa authentication http console TACACS+ LOCAL

aaa authentication ssh console TACACS+ LOCAL

aaa authentication telnet console TACACS+ LOCAL

aaa authentication enable console TACACS+ LOCAL

aaa authorization command TACACS+ LOCAL

aaa accounting enable console TACACS+

aaa accounting ssh console TACACS+

Community Member

Hello Rizwan,

Hello Rizwan,

thanks for the post, i had a similar situation but tried all the possible solutions. your post was giving me some hope to resolve this issue but not able to find the exact settings on ACS as per your navigation. can you please let me know the version of ACS you figured it out?

ACS User Setup-> Advanced TACACS+ Settings-> Max Privilege for any AAA Client->15 

Regards,

Sreeharsha

7114
Views
0
Helpful
6
Replies
CreatePlease to create content