cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1745
Views
0
Helpful
11
Replies

Sessioning into FWSM using AAA tacacs for authentication

phaddad
Level 1
Level 1

We have a FWSM in a Cat6500(12.2(33)SXI). We use AAA tacacs with local failover for ssh access to both the FWSM admin context and the switch. Works great. However when trying to session to the FWSM from the switch it only seems to allow 1st level access using my tacacs credentials. It only accepts either the local admin context enable password or the password associated with a local privilege level 15 user(admin context) for enable access. Is there some way to configure enable access to also use my tacacs credentials? If possible, local authentication for failover would be preferred.

thanks.

P

11 Replies 11

aaa authentication enable console <>

If you are talking about the fwsm, we already have the following statement configured in the admin context:

aaa authentication enable console tac_servers LOCAL

Its like its not using aaa for enable after the session login, as I'm not getting a prompt for username, only password.

thanks

P.

did you try debugging aaa and see what exactly is happening when you are sessioning into FWSM.

output from show debug on fwsm sys context doing a session command from switch:

Processing challenge for user xxxxxx, session id: 2147483691, challenge: Password:

Mar 05 2009 06:07:53: %FWSM-6-605005: Login permitted from 127.0.0.51/34817 to eobc:127.0.0.91/telnet for user "xxxxxx"

enabling in same session using local level 15 password:

Mar 05 2009 06:09:36: %FWSM-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15

thanks,

P

FWSM 3.2 Configuration Guide

"In multiple context mode, you cannot configure any AAA commands in the system configuration. However, if you configure Telnet authentication in the admin context, then authentication also applies to sessions from the switch to the FWSM (which enters the system execution space). The admin context AAA server or local user database are used in this instance"

but not quite sure if this is the case with "enable" authentication, atleast from what you have experienced , looks like enable password set under the system context is being used.

Agree on the aaa commands in the system config. In the admin context config we have the following aaa commands:

aaa authentication telnet console tac_servers LOCAL

aaa authentication enable console tac_servers LOCAL

Just doesn't seem to work with enable.

thanks,

P

That confirms that enable authentication for system context is done based on enable password and not the tacacs+.

But I am going to check and let you know.

BTW, what code are you running on FWSM ??

3.2(4) looking to upgrade to 4 in the next month or so.

thanks much

P

I'm wondering if anyone has found an answer to this.  I have the exact same problem where authentication is working to the FWSM but when I try to go into enable mode it uses the password that is configured via the enable secret command and not what is in the ACS server.  I tried using the "

aaa authentication enable console {LOCAL | server_group [LOCAL]}" but it doesn't seem to work.

Any thoughts?

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: