ASA enable mode with ACS

Similar Messages

• ASA transparent mode with secondary IP on the router

  Hi
  I have
  Router --- ASA (Transparent)----Switch
  and just wonder if it is possible to configure secondary IP on the router interface which is connected to ASA
  so there is plenty of room in terms of LAN IP range.
  Or to implement this, do I have change ASA to context mode and modify configuration on the ASA?
  hope I do not have to change anything on the ASA.
  Thanks

  ASA in transparant mode work as L2 device
  so what ever ips u use dosent matter
  u dont need to change anything in the ASA while it is in transperant mod
  but be careful of what is allowed to be passed through the firewall
  u can control it by ACLs
  the router and the switch u have will operat in L3 as thy connected directly or nothing between them from routing and layer three prespective
  so they shoud be in the same subnet VLAN and so on
  good lcuk
  please, if helpful rate

• Configuring ASA w/8.2(1) to work with ACS 3.3- enable issues.

  Hello all-
  Having an issue with the ASA devices. Here is the relevant part of the configuration:
  <aaa commands>
  aaa-server TACACS+ protocol tacacs+
  aaa-server TACACS+ (outside) host <host ip>
  key <key>
  aaa-server TACACS+ (outside) host <host2 ip>
  key <key>
  aaa authentication ssh console TACACS+ LOCAL
  aaa authentication enable console LOCAL
  aaa authentication serial console LOCAL
  aaa authentication http console TACACS+ LOCAL
  aaa authorization command TACACS+
  The problem is that when we put the devices into the server database, we can use our TACACS+ accounts, but it only lets us into privilege level 1 and does not allow us to go to enable mode at all.
  When we remove the devices from the server (thus attempting to fall back to local authentication) we can get in and into enable using the local admin password, but we can't do anything from the enable mode with out getting the 'command authorization failed' message.
  We have tried to go into the user definition on the ACS (v3.3) server and set the max privilege to 15, but it doesn't seem to have any affect.
  Does anybody have any idea of what is happening?

  well well , i guess you are getting the lovely enable 15 user account on ACS failed attempts for failed authorization.
  so cool ha:)
  It is the ASA trying to force the authorization using that lovely account , what you need to overcome that is having the enable authentication done against the ACS itself.
  By adding the following command on the ASA:
  aaa authentication login console TACACS+ local
  on the ACS make sure that enable password authentication is enabled for the user.
  There you have three options: either you use the same PAP password or spearate one or if you are trying with user
  defined on external db with that user password on the external db.
  Please Don't Forget to rate correct answers

• RSA SecurID and Cisco ACS integration for user(s) with enable mode

  I thought I had this problem figured out but I guess not.
  I have a Cisco 2621 router with IOS 12.2(15)T17. Behind the
  router is a Gentoo linux, RSA SecurID 6.1 and Cisco ACS 3.2.
  I use tacacs+ authentication for logging into the Cisco router
  such as telnet and ssh. In the ACS I use "external user databases"
  for authentication which proxy the request from the ACS over
  to the RSA SecurID Server. I installed RSA Agents with
  sdconf.rec file on the Cisco ACS server. I renamed "user group 1"
  to be "RSA_SecurID" group. In the "External user databases" and
  "database configurations" I assign SecurID to this "RSA_SecurID"
  group.
  Everything is working fine. In the "User Setup" I can see dynamic
  user test1, test2,...testn listed in there as "dynamic users". In
  other words, I can telnet into the router with my two-factor
  SecurID.
  The problem is that if test1 wants to go into "enable" mode with
  SecurID login, I have to go into "test1" user setting and select
  "TACACS+Enable Password" and choose "Use external database password".
  After that, test1 can go into enable mode with his/her SecurID
  credential.
  Well, this works fine if I have a few users. The problem is that
  I have about 100 users that I need to do this. The solution is
  clearly not scalable. Is there a setting from group level that
  I can do this?
  Any ACS "experts" want to help me out here? Thanks.

  That is not what I want. I want user "test1" to be able to do this:
  C
  Username: test1
  Enter PASSCODE:
  C2960>en
  Enter PASSCODE:
  C2960#
  In other words, test1 user has to type in his/her RSA token password to get
  into exec mode. After that, he/she has to use the RSA token password to
  get into enable mode. Each user can get into "enable" mode with his/her
  RSA token mode.
  The way you descripbed, it seemed like anyone in this group can go directly
  into enable mode without password. This is not what I have in mind.
  Any other ideas? Thanks.

• ASA enable authentication for AD user by ACS TACACS fails

  In order to authorize command on ASA8.x for different users, I have to put 'aaa authentication enable console TACACS' into ASA configuration, and in ACS - user setup - TACACS+ enable password - Use separate password, I set an enable password.
  It works fine for ACS local users, they are able to get into priv EXEC mode by entering 'enable' command and use my pre-set password, however, the password doesn't work for AD user.
  So, how to setup enable authorization for AD user?
  Or is there a way to drop a user directly into level 15 on ASA just like it on router?
  below is the debug info.(I'm sure the password is the one I set in ACS)
  LABASA1(config)# AAA API: In aaa_open
  AAA session opened: handle = 884
  AAA API: In aaa_process_async
  aaa_process_async: sending AAA_MSG_PROCESS
  AAA task: aaa_process_msg(d45bd5c8) received message type 0
  AAA FSM: In AAA_StartAAATransaction
  AAA FSM: In AAA_InitTransaction
  Initiating authentication to primary server (Svr Grp: TACACS)
  AAA FSM: In AAA_BindServer
  AAA_BindServer: Using server: 192.168.1.221
  AAA FSM: In AAA_SendMsg
  User: fostco\user1
  Resp:
  callback_aaa_task: status = -1, msg =
  AAA FSM: In aaa_backend_callback
  aaa_backend_callback: Handle = 884, pAcb = d5b193e0
  aaa_backend_callback: Error:
  Incorrect password.
  AAA task: aaa_process_msg(d45bd5c8) received message type 1
  AAA FSM: In AAA_ProcSvrResp
  Back End response:
  Authentication Status: -1 (REJECT)
  AAA FSM: In AAA_NextFunction
  AAA_NextFunction: i_fsm_state = IFSM_PRIM_AUTHENTICATE, auth_status = REJECT
  AAA_NextFunction: authen svr = TACACS, author svr = <none>, user pol = , tunn pol =
  AAA_NextFunction: New i_fsm_state = IFSM_DONE,
  AAA FSM: In AAA_ProcessFinal
  AAA FSM: In AAA_Callback
  user attributes:
  None
  user policy attributes:
  None
  tunnel policy attributes:
  None
  Auth Status = REJECT
  aaai_internal_cb: handle is 884, pAcb is d5b193e0, pAcb->tq.tqh_first is d441d1d8
  AAA API: In aaa_close
  AAA task: aaa_process_msg(d45bd5c8) received message type 3
  In aaai_close_session (884)

  I have run into a similar situation. I just want to authenticate via TACACS to enable mode in an ssh session. After using the "aaa authentication enable console TACACS LOCAL" command on the ASA, the ACS server rejects the password.
  I have tried everything I can think of on the ACS as far as "TACACS+ enable password" using both a windows database or a separate password, and PIX/ASA command sets. I cannot go into enable mode unless I set the ASA to LOCAL authentication, which just uses the globally defined enable password.

• Log into Device with AAA, how do I get right into enable mode?

  I am using a Cisco ACS server with an RSA server behind it. When the user is authenticated from the ACS server, I want them to go straight into enable mode, not have to type the enable mode password. What line am I missing?
  aaa authentication login ACS group ACS_servers local enable
  aaa authorization exec ACS group ACS_servers local
  aaa authorization commands 15 ACS group ACS_servers local
  aaa accounting commands 1 default start-stop group ACS_servers
  aaa accounting commands 15 default start-stop group ACS_servers
  line vty 0 5
  login authentication ACS
  authorization commmands 15 ACS

  The configuration in question is for telnet, but I do need to design my new console access connection. Console access would be either remotely or on-site, but I don't feel comfortable giving priv 15 right into it. I plan to use the same authentication method on the console (ACS group 1st, local database 2nd) and will just have to enter the enable password through the console.
  One more question on the aaa config, I kept getting this error in the log:
  AAA/AUTHOR: config command authorization not enabled
  So I added:
  aaa authorization config-commands
  I don't know if it was needed because I could still execute config-commands, but it kept giving me that warning if I didn't have that line.
  Also, do I really need this line if the ACS server is taking care of priv 15 authorization:
  aaa authorization commands 15 ACS if-authenticated

• ASA 5510 context base configuration in HA Mode with two different subnet

  Hi
  Please someone help me to configure the Firewall ASA 5510 in context based configuration in HA Mode with two different subnet....
  IP Details are below.....:
  interface Ethernet0/0
  nameif outside
  security-level 0
  ip address 10.10.10.2 255.255.255.0 standby 10.10.10.3
  interface Ethernet0/1
  no nameif
  security-level 0
  no ip address
  interface Ethernet0/1.101
  description INSIDE1
  vlan 101
  nameif INSIDE1
  security-level 90
  ip address 172.22.0.2 255.255.255.0 standby 172.22.0.3
  interface Ethernet0/1.102
  description INSIDE2
  vlan 102
  nameif INSIDE2
  security-level 80
  ip address 172.22.1.2 255.255.255.0 standby 172.22.1.3
  interface Ethernet0/3
  description LAN Failover Interface
  failover
  failover lan unit primary
  failover lan interface FAILOVER Ethernet0/3
  failover replication http
  failover interface ip FAILOVER 192.168.3.1 255.255.255.0 standby 192.168.3.2
  route outside 0.0.0.0 0.0.0.0 10.10.10.1 1

  Hi Sanjeev,
  If it is a context based configuration  that you are doing then, you would need to configure context on the ASA first, you can refer to this document for it:
  http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a00808d2b63.shtml
  Thanks,
  Varun Rao
  Security Team,
  Cisco TAC

• Can one enable turbo mode with acpi_cpufreq driver?

  Does anyone know if I can enable turbo mode with cpufreq driver? (acpi_cpufreq)
  I was able to achieve it with intel_pstate driver, but do not see any way with acpi_cpufreq. Or does performance governor automatically has turbo enabled?
  I am using Intel Xeon E5-2650, which has default frequencies of 1.2 - 2.6GHz, with turbo level of 3.4GHz.
  Last edited by kdar (2014-08-16 22:39:53)

  Turboboost is not always exposed to the firmware.
  http://askubuntu.com/questions/37618/is … st-working

• Unable to boot into safe mode with FileVault 2 enabled

  I was trying to boot into safe mode earlier to try and fix a few things. It looks like I can't and I suspect it is because of FV2.
  When the system starts I press shift after the tone, but then I have to release shift and enter the password and then Lion will only boot into normal mode.
  I've also tried with sudo nvram boot-args="-x" from the terminal, but while it seesm that this way Lion starts to boot into safe mode, after a while it just restarts as if something crashed etc and then again, I have to enter the password for FV and all again as in a loop, i.e. Lion won't even start this way.
  So I went into the recovery mode and I could make Lion start again at least in normale mode with sudo nvram boot-args="".
  Any idea of what could be preventing Lion from entering safe mode?
  Thanks in advance

  The symptom may be unrelated to FileVault 2. I encountered the symptom with FileVault 2 disabled and with backward conversion (decryption) complete.
  Apple reference for my bug report: 152162960. If the symptoms on your Mac compare to those on mine: progress may seem to cease during safe fsck.
  Vito, as you are comfortable with the nvram command, please try the following:
  sudo nvram boot-args="-v -x"
  Restart the computer and note the last verbose lines that appear before you sense that progress has ceased. Then please add a note of those lines to this topic.
  Additional questions
  What model is your Mac?
  What type of disk for the startup volume?
  How many files on that volume?
  Approximately how large are the attributes file and catalog file? (You might gain this information with a demo version of iDefrag.)
  My current envronment
  MacBookPro5,2
  8 GB memory
  startup from internal 320 GB rotational disk, Serial-ATA, Hitachi HTS723232L9SA62 (probably Travelstar 7K320)
  3,961,791 files
  495,744 folders /* not including the root folder */
  catalog file 3.0 GB, not fragmented
  attributes file 2.2 GB, not fragmented.
  At http://www.wuala.com/grahamperrin/public/2012/01/09/a/?mode=gallery file speedy.txt includes details of the volume.

• Tb not responding, even in safe mode with networking enabled?

  duplicate of [/questions/1054504]
  Hi,
  I've read many of the questions relating to TB not responding and it appears that it is related to anti virus, however I've restarted windows 7 in safe mode with networking, however TB still not responding. I've also ran TB in safe mode while still in windows safe mode and still not responding. I've uninstalled & re-installed TB all to no avail. I've uninstalled a program I recently installed although it was unrelated but still no change.

  ''Matt [[#answer-710384|said]]''
  <blockquote>
  Is your computer a little on the "slow side of things" historically the global search was something of an issue back when it was first introduced. It can sometime be an issue while the initial synchronization of large mail stores occurs. But this is almost always on lower powered machines
  Does your machine specification come close the these minimums ?
  Pentium 4 or newer processor that supports SSE2
  1GB RAM
  200 MB hard drive space
  </blockquote>
  The PC is an HP Pavillion
  AMD Phenom II X4 955
  8GB Ram
  1TB HDD

• Asa cmd authorization using acs

  Hi all, i was trying to authorize the asa with acs 3.2 on priv lvl 7 using tacacs+,but the users were geting priv-lvl 15 only..
  aaa-server aaa_serv protocol tacacs+
  aaa-server aaa_serv host 10.0.0.10
  key cisco123
  aaa authentication serial console tac_serv
  aaa authentication telnet console tac_serv
  aaa authentication enable console tac_serv
  aaa authorization command tac_serv
  i had brought some commands also in priv 7 using privilege commandm but the problem is that when i try to login i am geting priv-lvl 15 only not 7.i had set in acs also in tacacs+ seting to assign priv lvl=7 only to the users .. but dnt knw why it is nt wrking ..

  ASA does not have any authorization exec command so Priv Level does not work with ASA.
  Max privilege(enable attrib. in ACS)works with ASA.
  But if you implementing command authorization with ASA no need to configure max priv levels, let them all fall on priv level 15 and control access through command authorization.
  2 main commands required for command authorization are
  aaa authentication enable console tac_serv (this is because we do not have authorization exec in ASA so enable authentication is required for command auth to work)
  aaa authorization command tac_serv

• Logging directly into enable mode on a PIX using TACACS

  I have setup TACACS authentication on a PIX running 6.3(3). I can authenticate using TACACS just fine, but do not get put directly into enable mode. The ACS server is setup to do so, it works for routers and switches, but not the PIX box. If I put the "aaa authentication enable console TACACS" in the config I must enter the enable command and use the same password I logged in with to get into enable mode. Without the command, I have to use the configured enable secret password to get into the enable mode.
  Does anyone know it there is a way to configure the PIX to log someone directly into enable mode via TACACS?
  Thanks in advance

  Hi,
  PIX does not support exec authorization. Hence user cannot login to level 15 directly.
  Regards,
  Vivek

• How to skip enable mode password prompt.

  Hi,
  I just installed ACS 4.1 (first time working with ACS). Everything is working great and I'm using the ACS internal database for user authentication.
  The question I have is this. When logging into a router, which is authenticating against the ACS server, is there a way to bypass having to enter my password a second time to get to enable mode??
  Currently, I have to enter my username and password to login to the router and when I go to enable mode, I have to re-enter my password again.
  Any help is greatly appreciated.
  Thanks,
  Tony

  Hi,
  Here's my two penny's worth;
  I would take off the "authorization" lines as these are only needed to authorize exec and commands:
  no aaa authorization exec default group tacacs+ if-authenticated
  no aaa authorization commands 15 default group tacacs+ if-authenticated
  I would also remove the authentication enable line as this tells the device to authenticate enable mode access
  no aaa authentication enable default group tacacs+ enable
  And just test with the authentication login line, leave the accounting lines for now
  I would double check the following in ACS:
  Is the device in the right NDG?
  Do you have Per Group Defined Network Access Restrictions defined for this device?
  Is the user in the right group?
  In the group settings, Check you have Shell(exec) enabled, Privilege level set to 15, and under Enable Options ensure you have the right Priv level defined, per device, per group etc.
  Do you have either Shell Command Authorization Set or Per Group Command Authorization radio button selected?
  If you have Shell Command Authorization Set for the group ensure you have Unmatched Commands Permit selected.
  And authentication should be ok, then you can troubleshoot the authorization part...
  Is this on an appliance or other operating system? My experience of the appliances are that they're pretty c**p, too many bugs and little things that don't work...
  Just for info, you should have a last resort local username configured if ACS is down:
  username priv 15 password
  This will give you local access, and, if you find you have access issues as you have, you can remove the device from ACS, so it doesn't know about it, the device will try ACS not a get a response after the timeout period and prompt you for your username, enter your local password and you're in...
  I hope this helps...

• LMS Authentication with ACS 5.1

  Hi, I am using LMS authentication via ACS. I am able to login to LMS successfully with ACS user name and password but I can not execute most of the task it says you are not authorised. do i need to anything in LMS except enabling login module to tacacs...
  Let me know if I missed something.
  Thanks
  Ninja

  Integration with ACS 5.1 is not yet supported.  You can do authentication only with ACS 5.0, and 5.1 should work, but you will not be able to use full AAA integration.  Disable AAA mode, and set the login module to be TACACS+.  Point that to your 5.1 server, and you should be able to login, and run tasks in LMS.  However, you will still need to create local accounts in LMS for all of your users to do the authorization piece.

• Using AAA for enable mode

  I used to use TACACS and ACS to enable active directory accounts to be used for enable mode. After using their AD account to ssh or telnet you would then type enable and then use your AD password. Now I don't have TACACS and need to use Radius, IAS, on a windows server. I have telnet and ssh setup to use the AD accounts, but how/can I set up the enable mode to use AD accounts?
  thank you,
  Bill

  Bill,
  Enable authentication was meant to function with TACACS, and when used with RADIUS it does not perform the same. As a result, the only way for you to get enable authentication to work with RADIUS would be to input the username $enab15$ into your RADIUS server and every user would need to use that password to login to enable mode.
  Regards,
  ~JG
  Do rate helpful post