I know somebody asked here a question about configuring AAA with
TACACS on Cisco ASA firewalls but somehow I was unable to post my
question as a reply within the same thread so I will apologize for
starting a new one.
I'm trying to configure TACACS authentication and authorization with
tac_plus on a Cisco ASA5500 appliance and so far I've been unable to
make it work. I've read carefully the post mentioned above and
followed all the links, also visited Cisco support pages but without
any luck.
In their configuration guide, Cisco is saying I must have the
authentication working first and only then attempt to configure
authorization but somehow the ASA seems to lock me out as soon as the
authentication is configured.
Here's how the AAA configuration looks :
aaa-server TAC-Mtl protocol tacacs+
aaa-server TAC-Mtl (INSIDE) host 10.154.151.187
aaa authentication enable console TAC-Mtl LOCAL
aaa authentication http console TAC-Mtl LOCAL
aaa authentication ssh console TAC-Mtl LOCAL
aaa local authentication attempts max-fail 5
here is what the ASA sees after I'm being authenticated successfully :
capasa01> sh curpriv
Username : ilien
Current privilege level : 1
Current Mode/s : P_UNPR
here is the relevant portion of my tac_plus.conf file :
id = tac_plus {
access log = /var/log/tac_plus/access.log
authorization log = /var/log/tac_plus/authorization.log
accounting log = /var/log/tac_plus/accounting.log
syslog level = INFO
syslog facility = DAEMON
retire limit = 500
user backend = mavis
login backend = mavis
mavis module = external {
script out = {
if ( $TACMEMBER =~ "telecom-admin" )
set $TACMEMBER = "telecom-admin"
}
exec = /usr/local/lib/mavis/
mavis_tacplus_passwd.pl
}
host = asa5500 {
address =
10.253.1.0/24
key = "********"
}
group = telecom-admin {
default service = permit
service = shell {
default command = permit
set priv-lvl = 15
}
}
}
and here's what tac_plus daemon is saying in its access.log file :
...
10.253.1.65: shell login for 'ilien' from 10.154.151.187 on 2
succeeded
...
10.253.1.65: enable 15 for 'ilien' from 10.154.151.187 on 3 failed
(password not set)
...
10.253.1.65: enable 15 for 'ilien' from 10.154.151.187 on 4 failed
(password not set)
I'm a little bit puzzled because tac_plus has just checked my password
and allowed me to login yet when I try to use the enable command, my
password is not set. What password are ASA/tac_plus talking about
here ?
Any idea would be appreciated,
Nicu ILIE