Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
521
Views
0
Helpful
0
Comments

ASA Telnet Admin Session Password Change via TACACS

ITA Terms
Community Member

‎06-09-2009 01:41 AM - edited ‎02-21-2020 09:53 PM

 

Content:

 

Introduction

This procedure will explain how to change the password for a telnet admin session on the ASA platform using Cisco ACS TACACS server.

Note: Password change for SSH and ASDM admin sessions are not supported.

 

WHat is TACACS Server?

TACACS stands for Terminal Access Controller Access Control System. This protocol was used for authentication purpose. It is common for UNIX networks which provide allowance to a remote access server which forward user's credentials in order to determine access related to credentials by an aunthentication server.

 

TACACS+ is a successor to TACACS. RADIUS has taken place of earlier protocols in now days products. TACACS+ works on TCP and RADIUS works on UDP. Users recommend implementing TACACS+ because TCP is a reliable protocol when compared with UDP. TACACS+ perform authentication,authorization and accounting where as in  RADIUS authentication and authorization is possible with user profile.

Configuration on ASA

 

1. Define the TACACS aaa-server

5580-20-1(config)# show runn aaa-server TACACS17
aaa-server TACACS17 protocol tacacs+ 
aaa-server TACACS17 (inside) host 10.148.1.17 
key cisco 
5580-20-1(config)#

2. Define the administrative authentication type for telnet

5580-20-1(config)# show runn aaa     
aaa authentication telnet console TACACS17 
5580-20-1(config)#

ACS/TACACS server Configuration

1. Under Interface-TACSACS(Cisco IOS) go to Advanced Configuration Options


2. Check the Advanced TACACS+ Feautures option

Image:Tacacs1.gif


3. Under Group go to Password Aging Rules section and check Apply password change rule

Image:tacacs_2.gif


4. Under User go to TACACS+ Enable PAssword secion and check Use Cisco PAP Password

Image:Tacacs3.gif


5. Under System Configuration select Local Password Management and set a proper policy

Image:Tacacs4.gif

 

 

Telnet Session Password Change

Here is the expected behavior.

Image:tacacs5.gif

 

Syslogs for exchange

%ASA-6-113010: AAA challenge received for user telnet1 from server mcs-ibm3.
%ASA-6-113004: AAA user authentication Successful : server =  mcs-ibm3 : user = telnet1
Labels:
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents