Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

SSSH access problem in ASA 5520 v7.2

Hi all,

        I have configured 2 ASA 5520's in active/standby failover also  configured telent and SSH on the same, such that telnet uses  local datatabase for authentication and SSH use TACACS+ for AAA, the problem is that when trying to login using SSH i am able to login to the console but not to enable mode.

What could be the problem?

Sree

Everyone's tags (4)
6 REPLIES
Cisco Employee

Re: SSSH access problem in ASA 5520 v7.2

Did you configure privilege level 15 for Enable options on the ACS server for the group/user?

Cisco Employee

Re: SSSH access problem in ASA 5520 v7.2

Issue "sh run aaa", what does "aaa authentication enable console ..." line say?

-KS

Re: SSSH access problem in ASA 5520 v7.2

Hi Husankar,

aaa authentication enable console server-group LOCAL.

Regards,

Sree

Re: SSSH access problem in ASA 5520 v7.2

Hi halijenn,

Thanks for the quick reply. the ACS is configured properly. i am able to do the SSH normally on all other cisco devices.

Regards,

Sree

Cisco Employee

Re: SSSH access problem in ASA 5520 v7.2

ASA works a little bit differently in regards to enable mode authentication compared to other Cisco devices, like IOS routers and switches.

Please check on the ACS server if the "enable" option of privilege level 15 on the ACS server for the  group/user is configured as advised earlier, as per the following:

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_tech_note09186a00800949d6.shtml

You would also need to manually switch to enable mode on ASA:

http://www.ciscotaccc.com/kaidara-advisor/security/showcase?case=K25224726

Cisco Employee

Re: SSSH access problem in ASA 5520 v7.2

Make sure this ACS user has priv 15 configured.

Otherwise try to just remove this line   aaa authentication enable console server-group LOCAL and use the enable password configured on the ASA.

-KS

691
Views
0
Helpful
6
Replies
CreatePlease login to create content