Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2448
Views
0
Helpful
0
Replies

ASA +tacacs enable mode problem ** SOLVED **

tf2-conky
Level 1
Level 1

‎02-24-2009 08:25 PM

It seems this topic has been covered plenty already, but I just thought I would share my experience getting tacacs+ authentication working with enable mode(privilege level 15) for our ASA5550. Probalby unique to my setup, but perhaps this can help anyone else who comes across this problem

Before I begin I would like to say I found the Cisco documentation some what confusing - http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/start.html

Anyway to give some background we use tacacs+ for telnet(auth/accounting) with existing cisco routers/switches. If specified in tacacs.conf a user can log on to a device with full enable access without having to first escalate privileges. I just expected the ASA would support this. This is not the case as I discovered from this thread- http://forum.cisco.com/eforum/servlet/NetProf?page=netprof&forum=Security&topic=AAA&topicID=.ee6e1fe&CommCmd=MB%3Fcmd%3Dpass_through%26location%3Doutline%40^1%40%40.2cc21a1e/0#selected_message "...The ASA/PIX doesn't do "exec" authorization like a router does, to put you straight into privilege level 15..."

In the tacacs.conf file on your tacacs+ server make sure you create a user called $enab15$. This is in addition to your individual user accounts. This is a global "enable" user that is used to authenticate escalating to enable privilege mode for any user in tacacs.conf.

Here is the config I'm using that works

** ASA5550 **

aaa-server MNGT-TAC protocol tacacs+

aaa-server MNGT-TAC (mngt0_0_management_int) host 192.168.66.2

key cisco

aaa authentication telnet console MNGT-TAC LOCAL

aaa authentication enable console MNGT-TAC LOCAL

aaa accounting telnet console MNGT-TAC

aaa accounting enable console MNGT-TAC

aaa accounting command MNGT-TAC

!

telnet 192.168.66.1 255.255.255.255 mngt0_0_management_int

** TACACS server /etc/tac-plus/tacacs.conf **

accounting file = /var/log/tac-plus/account

key = cisco # comment while debug

## Global enable password

user = $enab15$ {

login = des cs23Dsd2bslz # use DES encryption

}

user = asa-test {

service = exec {

default attribute = permit

priv-lvl = 15

}

login = des bs2Apbk0xCT0D

}

Labels:
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents