Command authorization issue with TACACS on Cisco ASA5500
1,204 views
Skip to first unread message
nilie
Apr 4, 2012, 8:54:13 PM4/4/12
to Event-Driven Servers
I know somebody asked here a question about configuring AAA with
TACACS on Cisco ASA firewalls but somehow I was unable to post my
question as a reply within the same thread so I will apologize for
starting a new one.
I'm trying to configure TACACS authentication and authorization with
tac_plus on a Cisco ASA5500 appliance and so far I've been unable to
make it work. I've read carefully the post mentioned above and
followed all the links, also visited Cisco support pages but without
any luck.
In their configuration guide, Cisco is saying I must have the
authentication working first and only then attempt to configure
authorization but somehow the ASA seems to lock me out as soon as the
authentication is configured.
Here's how the AAA configuration looks :
aaa-server TAC-Mtl protocol tacacs+
aaa-server TAC-Mtl (INSIDE) host 10.154.151.187
aaa authentication enable console TAC-Mtl LOCAL
aaa authentication http console TAC-Mtl LOCAL
aaa authentication ssh console TAC-Mtl LOCAL
aaa local authentication attempts max-fail 5
here is what the ASA sees after I'm being authenticated successfully :
capasa01> sh curpriv
Username : ilien
Current privilege level : 1
Current Mode/s : P_UNPR
here is the relevant portion of my tac_plus.conf file :
id = tac_plus {
access log = /var/log/tac_plus/access.log
authorization log = /var/log/tac_plus/authorization.log
accounting log = /var/log/tac_plus/accounting.log
syslog level = INFO
syslog facility = DAEMON
retire limit = 500
user backend = mavis
login backend = mavis
mavis module = external {
script out = {
if ( $TACMEMBER =~ "telecom-admin" )
set $TACMEMBER = "telecom-admin"
}
exec = /usr/local/lib/mavis/mavis_tacplus_passwd.pl
}
host = asa5500 {
address = 10.253.1.0/24
key = "********"
}
group = telecom-admin {
default service = permit
service = shell {
default command = permit
set priv-lvl = 15
}
}
}
and here's what tac_plus daemon is saying in its access.log file :
... 10.253.1.65: shell login for 'ilien' from 10.154.151.187 on 2
succeeded
... 10.253.1.65: enable 15 for 'ilien' from 10.154.151.187 on 3 failed
(password not set)
... 10.253.1.65: enable 15 for 'ilien' from 10.154.151.187 on 4 failed
(password not set)
I'm a little bit puzzled because tac_plus has just checked my password
and allowed me to login yet when I try to use the enable command, my
password is not set. What password are ASA/tac_plus talking about
here ?
Any idea would be appreciated,
Nicu ILIE
TACACS on Cisco ASA firewalls but somehow I was unable to post my
question as a reply within the same thread so I will apologize for
starting a new one.
I'm trying to configure TACACS authentication and authorization with
tac_plus on a Cisco ASA5500 appliance and so far I've been unable to
make it work. I've read carefully the post mentioned above and
followed all the links, also visited Cisco support pages but without
any luck.
In their configuration guide, Cisco is saying I must have the
authentication working first and only then attempt to configure
authorization but somehow the ASA seems to lock me out as soon as the
authentication is configured.
Here's how the AAA configuration looks :
aaa-server TAC-Mtl protocol tacacs+
aaa-server TAC-Mtl (INSIDE) host 10.154.151.187
aaa authentication enable console TAC-Mtl LOCAL
aaa authentication http console TAC-Mtl LOCAL
aaa authentication ssh console TAC-Mtl LOCAL
aaa local authentication attempts max-fail 5
here is what the ASA sees after I'm being authenticated successfully :
capasa01> sh curpriv
Username : ilien
Current privilege level : 1
Current Mode/s : P_UNPR
here is the relevant portion of my tac_plus.conf file :
id = tac_plus {
access log = /var/log/tac_plus/access.log
authorization log = /var/log/tac_plus/authorization.log
accounting log = /var/log/tac_plus/accounting.log
syslog level = INFO
syslog facility = DAEMON
retire limit = 500
user backend = mavis
login backend = mavis
mavis module = external {
script out = {
if ( $TACMEMBER =~ "telecom-admin" )
set $TACMEMBER = "telecom-admin"
}
exec = /usr/local/lib/mavis/mavis_tacplus_passwd.pl
}
host = asa5500 {
address = 10.253.1.0/24
key = "********"
}
group = telecom-admin {
default service = permit
service = shell {
default command = permit
set priv-lvl = 15
}
}
}
and here's what tac_plus daemon is saying in its access.log file :
... 10.253.1.65: shell login for 'ilien' from 10.154.151.187 on 2
succeeded
... 10.253.1.65: enable 15 for 'ilien' from 10.154.151.187 on 3 failed
(password not set)
... 10.253.1.65: enable 15 for 'ilien' from 10.154.151.187 on 4 failed
(password not set)
I'm a little bit puzzled because tac_plus has just checked my password
and allowed me to login yet when I try to use the enable command, my
password is not set. What password are ASA/tac_plus talking about
here ?
Any idea would be appreciated,
Nicu ILIE
Paul Marin
Apr 9, 2012, 9:35:23 AM4/9/12
to event-driv...@googlegroups.com
Hi Nicu,
El 04/04/2012 08:24 p.m., nilie escribió:
group = telecom-admin {
default service = permit
service = shell {
default command = permit
set priv-lvl = 15
}
Remembet that, when working with Cisco ASA and PIX, you initially
login into the firewall with unprivilege level. So, if you want to
enable privilege then you have to issue the enable command
and type in again the user's password.
On the tac_plus side, you have to configure the enable = login keyword inside the user group configuration. For example:
On the tac_plus side, you have to configure the enable = login keyword inside the user group configuration. For example:
group = telecom-admin {
enable = login
default service = permit
service = shell {
default command = permit
set priv-lvl = 15
}From the tac_plus manual:
However, some implementations may resend the user password at the Enable Password: prompt. In that case you’ve got
only two options: Either use
enable = login
I hope that helps for you.
Kindly,
Paul
nilie
Apr 14, 2012, 9:30:38 PM4/14/12
to Event-Driven Servers
On Apr 9, 9:35 am, Paul Marin <pmarin...@gmail.com> wrote:
> Hi Nicu,
> El 04/04/2012 08:24 p.m., nilie escribió:group = telecom-admin { default service = permit service = shell { default command = permit set priv-lvl = 15 }
> On the tac_plus side, you have to configure theenable = loginkeyword inside the user group configuration. For example:group = telecom-admin {enable = logindefault service = permit service = shell { default command = permit set priv-lvl = 15 }
> From the tac_plus manual:However, some implementations may resend the user password at the Enable Password: prompt. In that case you’ve got
> only two options: Either useenable = login
> I hope that helps for you.
> Kindly,
> Paul
Thank you very much, Paul, applying your suggestion solved my
> Kindly,
> Paul
problem.
Nicu
Reply all
Reply to author
Forward
0 new messages