Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Sessioning into FWSM using AAA tacacs for authentication

We have a FWSM in a Cat6500(12.2(33)SXI). We use AAA tacacs with local failover for ssh access to both the FWSM admin context and the switch. Works great. However when trying to session to the FWSM from the switch it only seems to allow 1st level access using my tacacs credentials. It only accepts either the local admin context enable password or the password associated with a local privilege level 15 user(admin context) for enable access. Is there some way to configure enable access to also use my tacacs credentials? If possible, local authentication for failover would be preferred.

thanks.

P

11 REPLIES

Re: Sessioning into FWSM using AAA tacacs for authentication

aaa authentication enable console <>

New Member

Re: Sessioning into FWSM using AAA tacacs for authentication

If you are talking about the fwsm, we already have the following statement configured in the admin context:

aaa authentication enable console tac_servers LOCAL

Its like its not using aaa for enable after the session login, as I'm not getting a prompt for username, only password.

thanks

P.

Re: Sessioning into FWSM using AAA tacacs for authentication

did you try debugging aaa and see what exactly is happening when you are sessioning into FWSM.

New Member

Re: Sessioning into FWSM using AAA tacacs for authentication

output from show debug on fwsm sys context doing a session command from switch:

Processing challenge for user xxxxxx, session id: 2147483691, challenge: Password:

Mar 05 2009 06:07:53: %FWSM-6-605005: Login permitted from 127.0.0.51/34817 to eobc:127.0.0.91/telnet for user "xxxxxx"

enabling in same session using local level 15 password:

Mar 05 2009 06:09:36: %FWSM-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15

thanks,

P

Re: Sessioning into FWSM using AAA tacacs for authentication

FWSM 3.2 Configuration Guide

"In multiple context mode, you cannot configure any AAA commands in the system configuration. However, if you configure Telnet authentication in the admin context, then authentication also applies to sessions from the switch to the FWSM (which enters the system execution space). The admin context AAA server or local user database are used in this instance"

but not quite sure if this is the case with "enable" authentication, atleast from what you have experienced , looks like enable password set under the system context is being used.

New Member

Re: Sessioning into FWSM using AAA tacacs for authentication

Agree on the aaa commands in the system config. In the admin context config we have the following aaa commands:

aaa authentication telnet console tac_servers LOCAL

aaa authentication enable console tac_servers LOCAL

Just doesn't seem to work with enable.

thanks,

P

Re: Sessioning into FWSM using AAA tacacs for authentication

That confirms that enable authentication for system context is done based on enable password and not the tacacs+.

But I am going to check and let you know.

Re: Sessioning into FWSM using AAA tacacs for authentication

BTW, what code are you running on FWSM ??

New Member

Re: Sessioning into FWSM using AAA tacacs for authentication

3.2(4) looking to upgrade to 4 in the next month or so.

New Member

Re: Sessioning into FWSM using AAA tacacs for authentication

thanks much

P

New Member

Re: Sessioning into FWSM using AAA tacacs for authentication

I'm wondering if anyone has found an answer to this.  I have the exact same problem where authentication is working to the FWSM but when I try to go into enable mode it uses the password that is configured via the enable secret command and not what is in the ACS server.  I tried using the "

aaa authentication enable console {LOCAL | server_group [LOCAL]}" but it doesn't seem to work.

Any thoughts?

1134
Views
0
Helpful
11
Replies
CreatePlease to create content