ACS 5.3, ASA using TACACS+ forces to PAP?
As the title says I'm trying to have an ASA (8.2.3) auth against an ACS 5.3 using TACACS+. It only works if I have PAP enabled on the ACS. Obviously this concerns me. I've found the following reference in the configuration guides:
TACACS+ Server Support
The ASA supports TACACS+ authentication with ASCII, PAP, CHAP, and MS-CHAPv1.
I can't figure out how to make the ASA use MS-CHAPv1 though. Seems like it should be pretty simple.
Incidentally I was having the same problem with VPN auth's using RADIUS but I was able to fix that by enabling the password management option which is only available in CHAPv2. Seems that option isn't available under TACACS+.
Any suggestions?
As far as I am aware the asa will only use PAP to authenticate console exec logins. I wish it used chap-v2.
Sent from Cisco Technical Support iPhone App
Similar Messages
-
Legacy Profile on ACS Unix migrate to ACS 4.2 windows using TACACS+ av-pair
Hello
I'm migrating on ACS Unix 2.x ver to ACS 4.2 windows
we only use TACACS+ protocol
ACS Unix managed the profile such as
group LANadmins{
service=shell {
cmd=interface{
permit "Ethernet *"
deny "Serial *"
cmd=aaa{
deny ".*"
cmd=tacacs-server{
deny ".*"
default cmd=permit
those things.
So, I' guessing That above syntex is similar to TACACS+ av-pairs
and I found TACACS+ av-pairs list. but I couldn't find out examples .
those are only shown the List and no examples.
Does anybody help me ?
ThanksI've been researching the differences between 4.2 and 5.4. There is a fundemental difference in the two. In my research, I have not found anything that Cisco indicates that log files can be imported. Because ACS 5.4 has it's own robust logging and database viewing tools, I'm leaning towards no. But I cannot give a definitive answer on this, sorry. Just know that I've read for several hours, and have not seen anything that talks about the importation of logging files. You can import users, mac addresses, etc. This may be something someone knows and will post eventually; probably need to call "The Cisco" and get a quicker answer.
-
Hi there,
We have an implementation of Cisco Secure ACS 4.1.4 using RSA SecurID as its authentication source to provide role-based access control and command level authorisation.
We have succesfully deployed this our routers/switches, and are now looking at configuring Cisco PIX/ASA devices to use ACS and have stubbled across issues.
Config on PIX/ASA (note we actually have 4 ACS servers defined for resilience etc):
aaa-server XXXXX protocol tacacs+
accounting-mode simultaneous
reactivation-mode depletion deadtime 1
max-failed-attempts 1
aaa-server XXXXX inside host <SERVER>
key <SECRET>
timeout 5
aaa authentication telnet console XXXXX LOCAL
aaa authentication enable console XXXXX LOCAL
aaa authentication ssh console XXXXX LOCAL
aaa authentication http console XXXXX LOCAL
aaa authentication serial console XXXXX LOCAL
aaa accounting command XXXXX
aaa accounting telnet console XXXXX
aaa accounting ssh console XXXXX
aaa accounting enable console XXXXX
aaa accounting serial console XXXXX
aaa authorization command XXXXX LOCAL
Problems:
Enter PASSCODE is NOT displayed on first attempt to logon to the PIX/ASA because it does not attempt to communicate with ACS until username/pass is sent.
Username with null password (e.g. CR) will correctly then display Enter PASSCODE prompt received from ACS.
PIX/ASA does not attempt to authenticate against all configured TACACS+ servers in one go, instead it tries each sequentially per authentication attemptâ¦.e.g.
1st Attempt = Server 1
2nd Attempt = Server 2
3rd Attempt = Server 3
4th Attempt = Server 4
This means that in total failure of ACS users will have to attempt authentication N+1 times before failing to LOCAL credentials depending on number of servers configured, this seems to be from setting "depletion deadtime 1" however the alternative is worse:
With âdepletion timedâ configured, by the time the user has attempted authentication to servers 2,3 and 4 the hard coded 30 second timeout has likely elapsed and the first server has been re-enabled by the PIX for authentication attempts, as such it will never fail to local authentication locking the user out of the device, the PIX itself does warn of this with the following error:
âWARNING: Fallback authentication is configured, but reactivation mode is set to
timed. Multiple aaa servers may prevent the appliance from ever invoking the fallback auth
mechanism.â
The next issue is that of accounting.....AAA Accounting does not record âSHOWâ commands or session accounting records (start/stop) or âENABLE".
The final issue is ASDM. We can login to ASDM successfully using ACS/RSA SecurID, however when a change is made to the configuration ASDM repeatedly sends the users logon credentials multiple times.
As RSA SecurID token can only be used once this fails and locks the account.
Any ideas on how to make two of Ciscos leading security products work together better?Just re-reading the PIX/ASA 7.2 command reference guide below:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/crt_72.pdf
It appears some of the above are known issues.
PASSCODE issue, page 2-17 states:
We recommend that you use the same username and password in the local database as the
AAA server because the security appliance prompt does not give any indication which method is being used.
Failure to LOCAL, page 2-42 states:
You can have up to 15 server groups in single mode or 4 server groups per context in multiple mode. Each group can have up to 16 servers in single mode or 4 servers in multiple mode. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
AAA Accounting, page 2-2 states:
To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode.
ASDM issue, page 2-17 states:
HTTP management authentication does not support the SDI protocol for AAA server group
So looks like all my issues are known "features" of PIX/ASA integration with ACS, any ideas of how to achieve a "slicker" integration?
Is there a roadmap to improve this with later versions of the OS?
Will the PIX/ASA code ever properly support the same features as IOS?
Would it be better to look at using something like CSM instead of ASDM? -
Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)
Using TACACS+ auth from ACS 5.1.0.44 to ACE. Having Issues with Shell (Exec)
So I am trying to get TACACS+ auth to work for my ACE.
The command string that I have on the ACE is as follows:
tacacs-server host 172.16.101.4 key 7 XXXYYYZZZ timeout 15
aaa group server tacacs+ tacacs+
server 172.16.101.4
aaa authentication login default group tacacs+ local
aaa authentication login console local
aaa accounting default group tacacs+ local
But to finish getting this enabled I need to create some sort of shell (exec) string in the ACS that tells the ACE what permission level to allocate.
I do not know how to do this on the ACS 5.1.0.44.
Anyone know?
TAC made a good suggestion but the command path doesn't seem to line up with my version of ACS.
Thanks for your reply. About this question:
shell:<Context>*<Role> <Domain>
What I meant is that you need to check the following couple of things on
your ACS server in order to have AAA Tacacs users to login into the
ACE over the context with superuser ritghts.
Group setup ‑> users ‑> TACACS + Settings ‑> enable Shell(exec)
‑> enable Custom attributes ‑> right below this part you need to
use the following sintax to link the ACE context that this user
has access to.
For example:
shell:<Context>*<Role> <Domain>
shell:Admin*Admin default‑domain
Where this user will have access to the Admin context with the role
admin using the 'default‑domain'Wilfred,
What you will have to do on your version of ACS is modify the shell profile that your admins are hitting for other IOS devices or you can create another shell profile under Policy Elements -> Device Administration ->
Once you get into this shell profile select the Custom Attributes tab and put in the following fields close to the bottom of the screen, from the example you provided type shell:Admin for the attribute field and then default-domain for the value field, and make sure you select this requirement as optional, if you select mandatory and other IOS devices use this same shell profile you will force this av pair to these devices also which will impact the priv levels that then need for authentication.
After you add this attribute, save your changes and then test, also make sure that your Aceess Policy is calling this shell profile under the authorization profile for default device admin.
Thanks,
Tarik Admani -
ASDM and privilege level (using TACACS)
Hi experts,
Initial question: How can I force ASDM to ask for the enable password when the user click on Apply ?
Environment description:
I have an ASA 5510 connected to an ACS 5.0.
Security policy:
I want the user defined on my ACS to be able to gain privilege level 15 but only after using their enable password. But by default the user must be in no privileged mode (<15).
A SNMP alert is sent when the ASA catches a "User priv level changed" syslog message. (logging customization)
ACS configuration:
Maybe I misunderstand the TACACS privilege level parameters on ACS.
I set a Shell Profile which gives the user the following privilege levels:
Default Privilege Level = 7
Maximum Privilege Level = 15
1st config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
! no authorization set
Results:
On CLI: perfect
My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and his enable password
On ASDM: policy security failure
When the user connects through ASDM, he gains privilege level 15 directly
It seems that if authorization is not set, ASDM always gives privilege level 15 to any user
So OK for CLI, but NOK pour ASDM
2nd config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
aaa authorization exec authentication-server
! no authorization command set
Results:
On CLI: lose enable access
I can't gain privilege level 15 access anymore. When I use the enable command, I move to privilege level 7 only. So in this case ASA use the TACACS Default Privilege Level value.
On ASDM: policy security failure
When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window BUT the user has full rights and can change settings.
So NOK for CLI and ASDM
Question: Why do I have more access rights with ASDM as on CLI with the same settings ?
3rd config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
aaa authorization exec authentication-server
aaa authorization command LOCAL
! specific authorization command set for ASDM applied
Results:
On CLI: lose enable access (same as config 2)
On ASDM: unenable to gain privilege level 15 --> acceptable
When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window AND the user really has level 7 access rights.
So NOK for CLI and Acceptable for ASDM
Question: Is there no possibility to move to enable mode on ASDM ?
4th config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authorization exec authentication-server
aaa authorization command LOCAL
! no aaa authentication for 'enable access', using local enable_15 account
! specific authorization command set for ASDM applied
Results:
On CLI: acceptable
My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and the local enable password
On ASDM: unenable to gain privilege level 15 --> acceptable (same as config 3)
So Acceptable for CLI and ASDM
Questions review:
1 - Is it possible to force ASDM to ask for the enable password when the user click on Apply ?
2 - Why do I have different access rights using ASDM as on CLI with the same settings ?
3 - Is there no possibility to move to enable mode on ASDM when the user is on privilege level 7 whereas he has Maximum Privilege Level = 15 ?
4 - How may I understand these parameters on TACACS: Default Privilege Level and Maximum Privilege Level ?
Thanks for your help.Thanks for your answer jedubois.
In fact, my security policy is like this:
A) Authentication has to be nominative with password enforcement policy
--> I'm using CS ACS v5.1 appliance with local user database on it
B) Every "network" user can be granted priviledge level 15
--> max user priviledged level is set to 15 in my authentication mechanism on ACS
C) A "network" user can log onto the network equipments (RTR, SW and FW) but having monitor access only first.
D) A "network" user can be granted priviledged level 15 after a second authentication which generates a log message
--> SNMP trap sent to supervision server
E) The user password and enable password have to be personal.
So, I need only 2 priviledged level:
- monitor (any level from 1 to 14. I set 7)
- admin (level 15)
For RTR, SW and FW (on CLI), it works as wanted: the "network" users connect to the equipment in monitor mode. They type "enable" and they use their private enable password to be granted priviledged level 15.
ASDM interface is requested by the customer.
For ASDM, as I were not able to satisfy the security policy, I apply this:
1- I activated Exec Shell Access authorization to get the default user priviledge level value from ACS
--> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 but I am able to change the parameter.
2- I activated LOCAL Command authorization (adding "ASDM defined User Roles")
--> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 and I can't push any modification.
--> The issue is that I can't push any modification on CLI either ... :-( because my user is stuck on "default priviledge level" 7 and can't get access to "max priviledge level 15" as defined on ACS when LOCAL authorization is set
(ok I go on my ACS and move the default priviledge level to 15 to restore an admin access to the ASA and apply 3- before resetting it to default priviledge level to 7)
3- I remove "aaa authorization enable console TACACS" to use local enable password
--> now I can't get admin access on ASDM: OK
--> and I can get admin access on CLI entering the local enable password
At the end, I satisfy my policy security tokens A to D but not E. That's a good compromise but do you see a solution to satisfy E either ?
Thanks -
Implement strategy for ASA on TACACS w/ restricted read-only access
An ASA5550 will need to be configured to use TACACS AAA. Currently, the ASA is setup for local authentication. A couple of privilege 15 admin users and a few more privilege 5 read-only users.
ASA 5550
running ASA 8.2(2)
using ASDM 6.3(5)
authenticating to ACS 4.2
The admin users and read-only users already have established TACACS usernames and are in established TACACS user groups for logging into routers/switches.
What's the best way to implement configuration of the ASA and ACS server to maintain the same type of restrictions that's applied using the local database?
1. Try and avoid the creation of a second TACACS username for the admin and read-only users.
2. ACS allows restrictions on what devices can be access by users/groups. Possible to do reverse? Restrict what usernames can access a device in the ACS database.If you want to configure ASA for read-only access via tacacs then you have to do the following task
ASA/PIX/FWSM Configuration
In addition to your preset configuration, these commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:
aaa-server authserver protocol tacacs+
aaa-server authserver host 10.1.1.1
aaa authorization command authserver
On the ACS, you need to create command authorization set for only SHOW commands:
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario2
Associate command authorization set with user or group
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#asso2
Regards,
Jatin
Do rate helpful posts- -
ACS 5.1, ASA 8.2.2, AD, Device Access. Can't get it to work...
Does anyone have any direction/pointers on how to configure ACS 5.1 to use AD to authenticate and authorize device admin access for Cisco ASA firewalls running 8.2.2? The only way I can seem to get it to work is to tell it to continue if authentication is failed (which means any user/password entered works). The events in the log are:
24408 User authentication against Active Directory failed since user has entered the wrong password
However, I know with 100% certainty that the username and password are good to go (it's the same username and password that works just fine with our old ACS 3.3 system). At this point I feel like I'm missing something really stupid, but for the life of me I can't find it (and the ACS 5.1 user guide leaves a LOT to be desired IMO). Any help is greatly appreciated. We are trying to pilot ACS 5.1 to see if we want to upgrade to it instead of ACS 4.2 but with it failing on what would seem to be such a basic use case, it's not looking promising... TIA.I had this same issue and found out that my RADIUS keys did not match. I am migrating from ACS 4.2 to ACS version 5.4. I corrected my key on the the 5.4 installation and now access works perfectly. Hope that helps.
-
Nexus, command authorization using TACACS.
Hello.
Can someone provide a sample configuration to use Cisco Secure ACS 4.2 to enable command authorization using TACACS.
Thanks.
Regards.
AndreaHi Andrea,
We've moved onto ACS 5.3 now - but we had our Nexus 5520's running against our old ACS 4.2 before that - so I've picked out the relevant bits of the config below:
username admin password role network-admin ; local admin user
feature tacacs+ ; enable the tacacs feature
tacacs-server host key ; define key for tacacs server
aaa group server tacacs+ tacacs ; create group called 'tacacs'
server ;define tacacs server IP
use-vrf management ; tell it to use the default 'management' vrf to send the tacacs requests
source-interface mgmt0 ; ...and send them from the mgmt interface
aaa authentication login default group tacacs ; use tacacs for login auth
aaa authentication login console group tacacs ; use tacacs for console login auth
aaa authorization config-commands default group tacacs local ; use tacacs for config command authorization
aaa authorization commands default group tacacs local ; use tacacs for normal command authorization
aaa accounting default group tacacs ; send accounting records to tacacs
Hope that works for you!
(That can change a bit when you move to ACS 5.x - as we've chosen not to do complex command auth (using shell profiles only) so instead you pass back the nexus role to the 5k - and it does the command auth (network-admin vs network-operator) based on that - so you just don't configure aaa command authorization on the 5k)
Rob... -
WAAS Authentication using TACACS+
Hi,
I am trying to use TACACS as the primary method of authentication. The thing is that I configured in WAAS the values required (security word, primary server and secondary server). Also, in Authentication Method I chose TACACS as primary and local as the secondary.
After that I logged in to the WAAS using my TACACS account and I could enter, but the Navigation Pane is empty. It seems like my account doesn't have permissions to change config, but it is level 15 in TACACS ( I used to change config in Sw and routers).
I dont know if I am missing a step to config this feature either on the WAAS or the ACS.
Thanks,TACACS really only provides a single "A" Authentication.
Are you allowed or not....
in order to provide Authorization, you need to still create the account in CM. and provide a role and domain in the user config.
Leave the Local user check box "unchecked" if you plane to use TACACS to Authenticate.
Im sure there is a way to provide authorization through complex custom attributes but it achieves the same goal via CM. once authenticated. -
FWSM: AAA authentication using TACACS and local authorization
Hi All,
In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
We have created users on TACACS and not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list". I have specifically mentioned this
"privilege show level 1 mode exec command access-list" in the config.
Is there anything i am missing or is there any other way of doing it?
Thanks.You cannot do what you are trying to do. For (default login you need to use the first policy matched.
you can diversify telnet/ssh with http by creating different aaa groups.
But still you will be loging in for telnet users (all of them) using one method.
I hope it is clear.
PK -
Logging directly into enable mode on a PIX using TACACS
I have setup TACACS authentication on a PIX running 6.3(3). I can authenticate using TACACS just fine, but do not get put directly into enable mode. The ACS server is setup to do so, it works for routers and switches, but not the PIX box. If I put the "aaa authentication enable console TACACS" in the config I must enter the enable command and use the same password I logged in with to get into enable mode. Without the command, I have to use the configured enable secret password to get into the enable mode.
Does anyone know it there is a way to configure the PIX to log someone directly into enable mode via TACACS?
Thanks in advanceHi,
PIX does not support exec authorization. Hence user cannot login to level 15 directly.
Regards,
Vivek -
ANM 4.2 - RBAC using Tacacs+ and ACS5.1
I want to configure RBAC for ANM 4,2 using tacacs+ and ACS 5.1
Service = ANM
ANM_UniqueID = ANM_1
RoleName = ANM_Admin
Domain = All
When the admin user logs in, this policy element is triggerd, but the Role is not sent back.
How to configure the Custom Attribute?
Cheers,
WolffCould you please move this tread to AAA community, since this community is mostly about load-balancing and I doubt that you will get any answers here. You can find AAA community here: https://supportforums.cisco.com/community/netpro/security/aaa
You should be able to move it by clicking on "Move thread" on the right side and then navigating to Communities -> Security -> AAA
Thanks -
Use Tacacs+ for Admin auth & Radius for user Auth?
Can I setup my Aironet 1200 to use TACACS+ for authentication back to the cisco ACS server and RADIUS back to same server for user authentication?
If I setup a server in Server Manager under Radius, then add that same server as a TACACS+ server, it deletes the RADIUS server, so I assume no.dont know about 1200s but you can do this on 1130AGs. Create a aaa group for authentication via radius, and one for tacacs+ then use aaa groups to point console/vty to the tacacs+ aaa group, and EAP authentication to the radius group.
eg:
aaa group server radius rad-group
server x.x.x.x auth-port xxxx acct-port xxxx
aaa group server tacacs+ admin-access
server x.x.x.x
aaa authentication login eap-method group rad-group
aaa authentication login auth-admin-access group admin-access local
aaa authorization exec default group admin-access local
now under the ssid part of the config have:
dot11 ssid yyyyyy
authentication open (or whatever method you use) eap eap-method
under console/vty etc:
login authentication auth-admin-access
you need some more stuff like radius and tacacs server keys, but the above should get you started. On 1130AGs dont use aaa auth for http(s), looks like it overloads the aaa server at the moment - see field notices - probably doesnt apply to 1200s. -
I have got a 13 inch MacBook Pro and it got stuck in a loop so I switched it off by holding the power button down and now when I switch it on the apple logo appears then I get a blank slot at the bottom of the screen then the circle appears and rotates and then it switches off again, I have tried starting it again with the system disc that came with it when it was new but it makes no difference. Is there a sequence that I can use to force it to start.
Sorry. We can't help you. It's no longer an iPhone. Apple won't touch it.
Take it to whoever replaced the screen and see if they can help you.
iPhones are not user servicable and Apple does not sell iPhone parts at all. I'd be surprised if you were actually able to back it up at this point. It sounds like it's completely borked. -
Hi I am getting the error
Error occurred in deployment step 'Add Solution': A feature with ID 10495515-2482-41fd-98eb-3c87f739f54b has already been installed in this farm. Use the force attribute to explicitly re-install the feature.
when trying to deploy web parts
question 1 - how do i use the force attribute when deploying from visual studio
question 2 - am i deplying it to the right place, if i deply it to the
url:port that points to my central admin tool it deploys but i cant seem to see it in any of my webs in my site collection, if i deploy it to the
url:port that points to my site collection I get this error.
im new to all this by the way :)
thanks in advanceIf you are deploying from Visual Studio then please follow this post:
http://sharepointfordeveloper.blogspot.com/2014/03/solved-visual-studio-issue-error.html
Open the visual Studio and navigate to the feature XML file and add the bellow attribute.
AlwaysForceInstall="TRUE"
The <FeatureName>.Template.Xml output would be some think link this.
<?xml
version="1.0"
encoding="utf-8"
?><Feature
xmlns="http://schemas.microsoft.com/sharepoint/"
AlwaysForceInstall="TRUE"></Feature>
Maybe you are looking for
-
System Error in Message Monitoring -Proxy to SOAP async scenario
Hi All, My scenario is ABAP Proxy---> SAP PI 7.1 ---> WEbService(Asynchronous SOAP ). In Moni message is showing successful Flag, but message has got stuck in "system Error" at message monitoring.I can't see any Audit log in Message monitoring . but
-
IPhoto crashes after editing a photo
Hi, I'm desperate to tone some photos of our recent wedding so I can post them on the web. I am a long-time iPhoto user and have really not had many problems at all (or I'm able to figure them out), but this one has me stumped. iPhoto will crash on s
-
Rime Chinese Input Set Keyboard Layout
Hello, I am trying to install rime chinese input. Unfortunately I have a keyboard with a QWERTZ-Layout, which I am very accustomed to. I am using rime in Gnome Shell. Is there any way to keep the German keyboard layout whilst switching to rime? My ch
-
Why does iTunes freeze when movie download is processing and it will not restart the download but yet it billed my acct for payment already? It has been a week now and still not done processing. I get an error message when I try to restart the downlo
-
What types of portlets are administation portlets in oracle portal?
I want to know what is the administration portlets category.i.e.Is it PDK portlets or PL/SQL portlets.What? I want to make some new portlets and put them on the same admininstration page which will be accessing the OID mainly to add some new function