Content:
Introduction
This procedure will explain how to change the password for a telnet admin session on the ASA platform using Cisco ACS TACACS server.
Note: Password change for SSH and ASDM admin sessions are not supported.
WHat is TACACS Server?
TACACS stands for Terminal Access Controller Access Control System. This protocol was used for authentication purpose. It is common for UNIX networks which provide allowance to a remote access server which forward user's credentials in order to determine access related to credentials by an aunthentication server.
TACACS+ is a successor to TACACS. RADIUS has taken place of earlier protocols in now days products. TACACS+ works on TCP and RADIUS works on UDP. Users recommend implementing TACACS+ because TCP is a reliable protocol when compared with UDP. TACACS+ perform authentication,authorization and accounting where as in RADIUS authentication and authorization is possible with user profile.
Configuration on ASA
1. Define the TACACS aaa-server
5580-20-1(config)# show runn aaa-server TACACS17
aaa-server TACACS17 protocol tacacs+
aaa-server TACACS17 (inside) host 10.148.1.17
key cisco
5580-20-1(config)#
2. Define the administrative authentication type for telnet
5580-20-1(config)# show runn aaa
aaa authentication telnet console TACACS17
5580-20-1(config)#
ACS/TACACS server Configuration
1. Under Interface-TACSACS(Cisco IOS) go to Advanced Configuration Options
2. Check the Advanced TACACS+ Feautures option
3. Under Group go to Password Aging Rules section and check Apply password change rule
4. Under User go to TACACS+ Enable PAssword secion and check Use Cisco PAP Password
5. Under System Configuration select Local Password Management and set a proper policy
Telnet Session Password Change
Here is the expected behavior.
Syslogs for exchange
%ASA-6-113010: AAA challenge received for user telnet1 from server mcs-ibm3.
%ASA-6-113004: AAA user authentication Successful : server = mcs-ibm3 : user = telnet1