ASA AAA

Hello

I want to combine all the features of AAA we have today in different radius to an ISE installation servers.

I now wonder how to differentiate a connection of the administrative apparatus (SSH/ASDM) a VPN to the user, so the radius requests to the same server.

I see that nothing in the ASA - request - attributes Radius which differs depending on the use of Microsoft case. Any advice?

Best regards

/ Mattias

Mattias salvation,

at the time of the ASA 8.4.3 Radius access request contains 2 new attributes, the name of Group of Tunnel and the Type of customer, when a VPN user connects. Don't know if an admin access request must contain the customer Type = 0 or if it does not include this attribute.

But without doubt, you have even those which, as you can simply press the IETF service type attribute, cfr:

http://www.Cisco.com/en/us/docs/security/ASA/asa84/configuration/guide/access_aaa.html#wp1136429

HTH

Herbert

Tags: Cisco Security

Similar Questions

  • ACS 5.1 / ASA AAA local failover if unknown user

    Hello

    I know that the way to set the ASA to the relief of LOCAL authentication, if the Radius Server is not available.

    Now, we want authenticate users, if the user is not in the ad. Is this possible and how do I set it up with new policies? I tested it with a 'fall' when the user is not in the ad, but then the Radius Server will be marked as 'dead' and other users of the AD can not connect during a given period. Perhaps we can set the timeout to 0, but it's not as nice as it could be.

    Thank you very much in advance and consider better?

    Dominic

    This can be done by creating a sequence identity (users and identity stores > identity store sequences)

    A sequence of identity store gives you access to several databases in sequence until the user authenticates

    Create a sequence, and then select the database password, then AD1 followed by "Internal users" in the "authentication method list. Once created, the sequence is selectable so as the result of corresponding identity politics

  • HTTPS ASA AAA authentication rules prompt

    I'm trying to configure a simple rule of AAA in my lab to allow access to the internet web server via authentication GANYMEDE + (see attached configuration).

    This Setup seems to work fine when the authentication prompt is displayed using http, while the https login page seems to have some problems with a certificate error recognized from the browser with the message: SSL_ERROR_BAD_MAC_READ

    It seems that https login page redirection is not allowed due to server address certificate incompatibility.

    Advice and suggestions will be greatly appreciated.

    Seems to be a known issue.

    https://BST.cloudapps.Cisco.com/bugsearch/bug/CSCus27650/?reffering_site...

    Kind regards

    Jousset

    ~ Make rate of useful messages.

  • GANYMEDE for ASA 5550

    Hello

    How to configure Ganymede for ASA 5550 with acs4.2. I have two asa, one is active and others in mode. pls tell me how to set up. I couldn't find any good docs either.

    Thank you.

    Hi Gavin,

    Here is the sample config for ASA's telnet authentication from Tacacs: username admin password xxxxx privilege 15 aaa-server TEST protocol tacacs+ aaa-server TEST (inside) host x.x.x.x  yyy   [x.x.x.x is the ip address of the tacacs server and is reachable from the inside interface and yyy is the shared secret key.] aaa authentication telnet console TEST LOCAL   [This will send the telnet authentication request to the tacacs server first and if it is not reachable then use the local database of the ASA] aaa authentication ssh console TEST LOCAL    [same as above but for ssh session] aaa authorization exec authentication-server    [this enables exec authorization for the telnet and ssh sessions.] 
    aaa authentication http console TEST LOCAL [for HTTP]
    order of accounting AAA TEST [this helps accountants of the order for all orders entered in the telnet or ssh session.]  On the Ganymede server we need to add this ASA as a RADIUS client with shared secret key yyy.
    

    You can find more details: -.
    

    http://www.Cisco.com/en/us/docs/security/ASA/asa80/configuration/guide/mgaccess.html#wp1042026
    

    The GBA, you need to add ASA as device under config network with Protocol Ganymede.
    

    Thank you
    

    Vinay
    

    If this helps you or answers to your question if it you please mark it as 'responded' or write it down, if other users can easily find it.

  • Ike ASA VPN question

    Hello all, I have problem with an IPSec tunnel and always looking what is exatly the problem. Have 2 ASA AAA. AA. AAA. A and BBB. BB. BBB. B where BBB. BB. BBB. B has 2 interfaces LAN is another DSL modem. When there is no problem with LAN tunnel is ACTIVE, but when I ALS rocking a few errors on the tunnel:

    IP = AAA. AA. AAA. One, received an INVALID_COOKIE unencrypted notify message, drop

    IP = AAA. AA. AAA. A, package in double Phase 1 detected. Retransmit the last packet.

    SH isakmp sa is:

    ITS enabled: 1

    Generate a new key SA: 0 (a tunnel report Active 1 and 1 to generate a new key during the generate a new key)

    Total SA IKE: 1

    1 peer IKE: AAA. AA. AAA. A

    Type: user role: initiator

    Generate a new key: no State: MM_WAIT_MSG4

    If the router is waiting for ack but not expected and there is no package.

    At both ends, I deleted:

    cry clear isa

    cry clear ipsec

    I checked the peer addresses are correct, what is bodering me, it's the missing package. I think that this packet is sent to the other interface which is down and so the other ASA cannot get the negotiation.

    I will be grateful if anyone can help, I'll debug and sniff for that.

    Here are the configs and small on isakmp debug information

    Router AAA. AA. AAA. A config:

    outside_cryptomap_60 list of allowed ip extended access object-US-VPN VPN - US group object

    Route outside 0.0.0.0 0.0.0.0 XXX. XX. XX.1 1

    Crypto ipsec transform-set ESP-AES-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    card crypto outside_map 60 match address outside_cryptomap_60

    game card crypto outside_map 60 peers BBB. BBB. BB. B CC. CCC. C.CCC

    card crypto outside_map 60 value transform-set ESP-AES-SHA

    life safety association set card crypto outside_map 60 28800 seconds

    card crypto outside_map 60 set security-association life kilobytes 4608000

    outside_map interface card crypto outside

    ISAKMP allows outside

    part of pre authentication ISAKMP policy 10

    ISAKMP policy 10 3des encryption

    ISAKMP policy 10 sha hash

    10 2 ISAKMP policy group

    ISAKMP life duration strategy 10 86400

    tunnel-group BBB. BBB. BB. B type ipsec-l2l

    tunnel-group BBB. BBB. BB. B ipsec-attributes

    pre-shared-key *.

    ASA BBB. BB. BBB. B:

    Crypto ipsec transform-set esp-SHA-ESP-3DES-3des esp-sha-hmac

    Crypto ipsec transform-set ESP-AES-SHA aes - esp esp-sha-hmac

    Crypto ipsec transform-set ESP-DES-SHA esp - esp-sha-hmac

    life crypto ipsec security association seconds 28800

    Crypto ipsec kilobytes of life - safety 4608000 association

    card crypto outside_map 1 match address outside_cryptomap_1

    card crypto outside_map 1 set of AAA peers. AA. AAA. A

    card crypto outside_map 1 the value transform-set ESP-SHA-3DES ESP-AES-SHA

    outside_map interface card crypto outside

    card crypto outside_map interface outsideadsl

    crypto ISAKMP allow inside

    crypto ISAKMP allow outside

    ISAKMP crypto enable outsideadsl

    crypto ISAKMP policy 10

    preshared authentication

    3des encryption

    sha hash

    Group 2

    life 86400

    ISAKMP crypto am - disable

    debugging isakmp 127

    28 Dec 11:58:01 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0

    28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. A, IKE initiator: New Phase 1, Intf inside, IKE Peer AAA. AA. AAA. A local Proxy 192.168.0.0, address remote Proxy 192.167.0.0, Card Crypto (outside_map)

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Building ITS ISAKMP payload

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Payload has, worm 02 NAT-Traversal vid construction

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Payload has, worm 03 NAT-Traversal vid construction

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, building Fragmentation VID + load useful functionality

    28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. A, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + SA (1) the SELLER (13) + the SELLER (13), SELLER (13) + (0) NONE total length: 148

    28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. ITS payload processing

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Oakley proposal is acceptable

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. VID payload processing

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, received Fragmentation VID

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, IKE Peer included IKE fragmentation capability flags: Main Mode: Mode aggressive True: True

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Construction ke payload

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Construction nonce payload

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Building Cisco Unity VID payload

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Xauth V6 VID payload construction

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, Send IOS VID

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A payload the IOS Vendor ID theft construction ASA (version: 1.0.0 capabilities: 20000001)

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Construction VIDEO payload

    28 Dec 11:58:01 [IKEv1 DEBUG]: IP = AAA. AA. AAA. One, send Altiga/Cisco VPN3000/Cisco ASA GW VID

    28 Dec 11:58:01 [IKEv1]: IP = AAA. AA. AAA. A, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + KE (4) + (10) NUNCIO seller (13) + the seller (13) + the seller (13) + the seller (13) + (0) NONE total length: 256

    28 Dec 11:58:07 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0

    28 Dec 11:58:07 [IKEv1]: IP = AAA. AA. AAA. A Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

    28 Dec 11:58:09 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. ITS payload processing

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Oakley proposal is acceptable

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. VID payload processing

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, received Fragmentation VID

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, IKE Peer included IKE fragmentation capability flags: Main Mode: Mode aggressive True: True

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Treatment IKE payload

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, IKE SA proposal # 1, turn # 1 entry overall IKE acceptable matches # 2

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. Building ITS ISAKMP payload

    28 Dec 11:58:09 [IKEv1 DEBUG]: IP = AAA. AA. AAA. A, building Fragmentation VID + load useful functionality

    28 Dec 11:58:09 [IKEv1]: IP = AAA. AA. AAA. A, IKE_DECODE SEND Message (msgid = 0) with payloads: HDR + HER (1), SELLER (13) + (0) NONE total length: 108

    28 Dec 11:58:09 [IKEv1]: IP = AAA. AA. AAA. A Message from FORWARDING IKE_DECODE (msgid = 0) with payloads: HDR + KE (4) + NUNCIO (10) + SELLER (13) + the SELLER (13) + the SELLER (13) + the SELLER (13) + (0) NONE total length: 256

    28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + NOTIFY (11) + NONE (0) overall length: 68

    28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. One Message RECEIVED from IKE_DECODE (msgid = 0) with payloads: HDR + NOTIFY (11) + NONE (0) overall length: 68

    28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. One, received an INVALID_COOKIE unencrypted notify message, drop

    28 Dec 11:58:10 [IKEv1]: IP = AAA. AA. AAA. A, exchanging information processing failed

    No degDec 28 11:58:12 [IKEv1 DEBUG]: pitcher: a message key acquisition, spi 0 x 0

    28 Dec 11:58:12 [IKEv1]: IP = AAA. AA. AAA. A Queuing KEY-ACQUIRE messages are treated when SA P1 is finished.

    Don't know if that's the only issue, but to start you need a 'tunnel-group C.C.C.C' ASA A.

    If there is still a problem, download him debugs on both sides at the same time please.

    Also, what version of the software the ASA work, and how you simulate the failure on the main interface of B? Is it possible that in your test one can always happen to B through its main interface?

    HTH

    Herbert

  • ACS 5.4 ASA 8.2.5 disable AAA for the particular user

    Hello!

    I want to disable journaling Ganymede + for the particular user. This user is used only for automated (python script) pooling of vpn tunnel ASA (limited command set - permission on ACS) group to verify the number of users authenticated via VPN. The problem is that this user generate a bunch of logs according to authentication authorization and accounting on ACS. Is there a solution, disable Ganymede + newspapers on ACS for this particular user? Maybe it is possible to modify the AAA on ASA to not connect this particular user?

    Thanks in advance.

    Hi Pawel,

    You can create filters collection for that specific user. When you configure monitoring filters & Report Viewer does not record these events in the database.

    Navigate to: Configuration of the analysis > System Configuration > filters Collection > add a filter

    What follows is the attributes that can be used. You must use the user.

    -Access service

    -User

    -Mac-add

    -Nas - IP

    Example: We get several hits of ASA by 'user' and we want ACS to ignore it. Create a filter by using the user. ACS must now ignore any attempt from the IP Address of the NAS.

    Jatin kone
    -Does the rate of useful messages-

  • Configuration guide benefits of Cisco context directory Agent (CDA) and AAA (on ASA)

    Hello

    I would like to set up and test AAA on a Cisco ASA (5505 or 5510).
    1 are there any other tools or server required to use this feature? And you have good configuration guides?

    I already tested a CDA of Cisco. He was able to show users active directory and their IP equivalent.
    2. do you have a brief explanation what kind of opportunities I have with this server/tool? It is perhaps usable for the AAA mentioned on the SAA?

    Thanks in advance

    Best regards

    1. Yes, you need a Radius like Windows Server NPS or RADIUS server such as Cisco ACS/ISE server.

    2. He's just a man in the middle of the ADC, you will always need an AAA server: radius or Ganymede (see # 1).

  • AAA ACS RADIUS ASA administrative access

    We have an ASA 8.2 we'd like to AAA to configure ssh access using a 5.5 running ACS RADIUS.

    Can get users authenticate, but ASA retains user record in user EXEC instead level privileged EXEC.

    Installation on the ASA:

    RADIUS protocol Server AAA rad-group1
    AAA-server host of rad-Group1 (inside_pd) rad-server-1
    key *.
    AAA-server host of rad-Group1 (inside_pd) rad-Server-2
    key *.
    authentication AAA ssh console LOCAL rad-group1
    AAA authentication telnet console LOCAL rad-group1
    HTTP authentication AAA console LOCAL rad-group1
    AAA authorization exec-authentication server

    Have you tried pushing various combinations of these attributes of the ACS:

    Value CVPN3000/ASA/PIX7.x-Priviledge-Level = 15
    Value of RADIUS-IETF Service-Type = administrative (6)
    Cisco-av-pair value = "" shell: priv-lvl = 15 ""

    Hi Phil,

    You are able to manage the privilege level is assigned to a user with Ganymede, however, you are not able to go to privilege level without enable authentication, unless you go to 9.1 (5) code.

  • ASA 5525 X AAA connect on EXEC by ISE mode

    I use ISE 2.0 and have created a policy to connect to our ASA 5525 X worm 9.5.2 running using SSH.

    I can log in the SAA to user exec mode, use activate and type in my password to access the exec priv mode.

    I want to type a user name and password to access the exec priv mode directly.

    That's what I have on our ASA

    RADIUS protocol AAA-server vpnISE
    allow only
    Dynamics-authorization
    vpnISE AAA-server (inside) host IP ADDRESS
    key *.

    RADIUS protocol AAA-server vpnISE
    vpnISE AAA-server (inside) host IP ADDRESS
    LOCAL AAA authentication serial console
    ssh vpnISE LOCAL console AAA authentication
    AAA authentication http LOCAL console
    AAA authentication enable console LOCAL vpnISE

    AAA authorization exec auto activate authentication server

    I have an authorization profile

    ASA_Access

    Access type = ACCESS_ACCEPT
    Cisco-av-pair = shell: priv-lvl = 15

    The authentication policy is PAP_ASCII for AD and local

    The authorization policy:

    NAS-port-type: virtual

    Network Access Protocol: RADIUS

    When I try to log in with this configuration it is said that password authentication failed.  When I check the Logs I see that I have my authentication succeeded.

    Am I need to change my attributes to something else to make it work.

    Two questions:

    1. confirmed that the appropriate rule is now struck in ISE

    2. are - that return you the correct RADIUS attribute? For ASAs, you must go back:

    Radius:Service-Type = Administrative
    Thank you for evaluating useful messages!

  • AAA to circumvent the password to enable on the Cisco ASA

    Hi all. I'm having a problem where I get authenticated by the AAA server, but after authentication, that I am placed in user mode. AAA admin (I have no access to the AAA server) told me that he had all the users configured with priv level 15, which will lead them directly in the mode privilege on routers.

    My question is how can I configure my Cisco ASA to get around using a password to enable. See below the configuration of my

    AAA-server protocol Ganymede MYGROUP +.
    Max - a failed attempts 4
    AAA-server host 2.2.2.2 MYGROUP (inside)
    timeout 3
    key *.
    Console Telnet AAA authentication LOCAL MYGROUP
    Console to enable AAA authentication LOCAL MYGROUP
    privilege MYGROUP 15 AAA accounting command

    Looks like you want to directly access the exec privileges mode. This feature is not supported by the ASA. This is only possible on IOS devices.

    Rgds, jousset

    Note the useful questions.

  • About AAA ASA 8.2 (1)

    I'm trying to implement AAA on a new ASA 8.2 running (1), and I can't get the ACS (4.2 (0) Build 124 Patch 6) and the ASA to GANYMEDE keys +. I've done this before on a lot of systems and it has always been a typo, but I put the two ends to a touch of 'a' and it still does not work. I get this in the newspapers of the ASA:

    4 sep 29 2009 22:03:48 109027 [GANYMEDE] Unable to decypher response Server = x.y.z.a user = blah message

    3 sep 29 2009 22:03:48 109026 digest response invalid [GANYMEDE] received; key server shared may be incompatible.

    and in the GBA box, I get:

    2009-09-29 22:03:48 authentic failed... by default... Incompatibility of keys...... .. b.c.d.e

    The adjustment on both sides correspond to what other treatments ASAs have. Is there something to 8.2 (1) changing something?

    Thank you

    Hello

    As you are sure that the key is correct on both sides. I would like you to check this box:

    The GBA > go to network settings > select the network device group (NDG) in which we have ASA added as a client of the AAA.

    Once we are in the decision-making group of network devices, a glance at the bottom of the page, you will see an option that says "Edit properties", click on that background,

    If sure we don't set to "Shared Secret", if we have something, remove it and make this field empty and then press 'submit '.

    Then try to authenticate.

    Any key defined in section above replaces the key defined on basis by device.

    For more details, please see,

    http://www.Cisco.com/univercd/CC/TD/doc/product/access/acs_soft/csacs4nt/acs41/user/netcfg.htm#wp342738

    HTH

    JK

  • A reason any AAA limited in ASA 16 groups of servers?

    I wonder why there is a limit on all Cisco ASA models when it comes to limit the number of AAA server groups to only 16? I guess it shouldn't be that difficult allow the BONE to the ASA allow several groups of AAA servers and servers by device? Is this just because of marketing reasons or what? :)

    Oscar

    An enhancement request has been made to increase this value.

    If you open a tac case and ask that it be attached to the bug:

    CSCsh23977 Capacity of more than 15 groups of servers AAA on the SAA

    This will put more weight on this improvement and it is more likely to be processed quickly.

    That should help with your problem.

  • AAA 'Broken' between ASA 5505 and MS - AD

    I have my MS - AD for the VPN domain controller installation connection my ASA5505 AAA (SSL and client). He worked, however, the failure of the connection between the two last week and I can't back up again.

    I checked the password, usernames, locations of object etc., but to no avail. When I do a test auth, it's 225 ldap debug output:

    Starting a session [722]

    [722] New request Session, framework 0xd4e225c8, reqType = 1

    [722] fiber began

    [722] LDAP context with uri = ldap://w.x.y.z:389

    [722] to connect to the LDAP server: ldap://w.x.y.z:389, status = success

    [722] supportedLDAPVersion: value = 3

    [722] supportedLDAPVersion: value = 2

    [722] binding as admin

    [722] authentication Simple running to FirewallTest to w.x.y.z.

    [722] simple authentication for FirewallTest returned the code of invalid credentials (49)

    [722] impossible to link the administrator returned code-(1) can't contact the LDAP server

    [722] output fiber Tx = 253 bytes of Rx = 583 bytes, status =-2

    End of session [722]

    I tried the fix 'remove and re-add' secular, but it did not work.

    Any thoughts?

    Have you checked the user account used to bind to the LDAP (AD) has not change its privileges, I remember that after application of a fix to an ad server most of the Admin accounts have been changed in local admin rather than domain administrator accounts.

    Also, try to reset the password for this account and see if you have the correct connection-dn, get the "dsquery user-name"and compare it to your ASA.»

  • Problem of AAA in ASA

    Hi all

    I had configured Ganymede on ASA, but the problem is when I m try to Telnet it authenticates me with my username & password on ACS, but I can't pass the privilege level 15 such that configured on ACS. Its asking me to activate password n not taking password is the GBA. I used the authorization of Shell for privilege 15. Done on ASA configuration is:

    name 172.30.xx.xx DCC-1

    name 172.30.yy.yy DCC-2

    Ganymede + Protocol Ganymede + AAA-server

    AAA-server Ganymede + host DCC-1

    Cisco key

    AAA-server Ganymede + host DCC-2

    Cisco key

    AAA authentication telnet console Ganymede + LOCAL

    AAA authentication telnet console Ganymede + Ganymede +.

    the AAA authentication console ssh Ganymede + LOCAL

    AAA authentication enable console LOCAL + Ganymede

    activate the encrypted password of V3VzjwYzTRfTLwOb

    activate the encrypted password of V3VzjwYzTRfTLwOb

    piyush vkCzRtKCaNG.HI6s encrypted privilege 15 password username

    ideanoc encrypted S0qrUlXOHFcX7LCw privilege 15 password username

    Even added my user name & password in the local data base on ASA as on ACS. Still no progress...

    Can all give his suggestion on the same.

    Kind regards

    Piyush

    I ask not for the level of private shell 15 but enable privileges. Which must be set to 15 GBA---> user configured---> options enable---> Max privilege for any customer AAA--> 15

  • Activate the ASA system context AAA authentication

    Hello!

    We have ASA configured in multiplayer in context with 8.4 (2) software configured for AAA

    Configuration is admin context as follows:

    AAA-server TAC Protocol Ganymede +.

    host of the TAC AAA-server 10.162.2.201 (management)

    key *.

    Console to enable AAA authentication LOCAL TAC

    TAC LOCAL console for AAA of http authentication

    AAA authentication serial console LOCAL TAC

    authentication AAA ssh console LOCAL TAC

    Because of the multiple context, after the connection we enter in the system context. Console port authentication works very well except access to the privileged mode when you connect through the console port.

    After the show 'enable' command ASA accepts only configured activate secret in context and change ID of user system for enable_15, so we are unable to do accounting and authorization of user level control.

    It seems that the ASA in the context of the system is not aware of all the configurations of AAA, and it is not a command to configure AAA in the context of the system.

    Is there a way to configure enable AAA authentication in the context of the system?

    Thanks in advance!

    Hello

    It looks like you hit this known issue that follows:

    http://Tools.Cisco.com/support/BugToolKit/search/getBugDetails.do?method=fetchBugDetails&bugId=CSCsw18455

    Admin context allow mode compared to the context system DB credentials

    Symptom:

    In multi-mode configuration, the user to enter privileged mode credentials
    (enable mode) via the serial console is not sent to an external server
    role of authentication.

    Conditions:

    ASA/PIX is in multi mode. serial console and activate the console authentication
    are configured to use external aaa server in the context of the admin.

    Workaround solution:

    Option 1: Configure enable password in the system context. Option 2: Avoid the use of the interface of the console series and rely on telnet
    or ssh console access.  SSH or telnet consoles, tries to enter
    active mode is authenticated as specified by the configuration of aaa in
    the context of "admin".
    Other Description of the problem:

    When authentication is enabled for the serial console and activate console in
    Executive admin via an external aaa Server (for example: radius or Ganymede +), series
    Console OmniPass is against the external aaa server, but the mode
    credentials are compared with enable db in the context of the system.

    Hope that clarifies it. Unfortunately there is no solution for this problem.

    Kind regards.

Maybe you are looking for

  • Name the Application?

    I downloaded one app the other week that scanned your mac and gave a diagnostic report on the State of your hardware, but also malware etc. The app logo was a yellow circle with a red check mark inside. Very basic, but very practical. I think that th

  • Create Volume Simple

    I went to check out Help & Support center and I followed the steps, and I converted the disk to a dynamic disk to create a simple volume. When I went to right click on the dynamic disk, I should click on "New Volume" so I can complete the wizard. But

  • Remember my password

    How can I get Windows to remember my main log on password? I've done this before, but I do not remember how to set up. Connor black

  • I am tryimg to upgrade Vista to Windows 7 and don't have a link to upgrade to click.

    I don't have a disc just a piece of cardboard that I bought from future shop that includes instructions and key. He told me to get windows anytime upgrade into the search box. ; Click windows anytime upgrade, then click on enter an upgrade key. When

  • How can I reset ms host files in windows 8

    Microsoft tried to reset the program host file but I get a promt saying it's nit supported by my system is windows 8