September 2014
« Jun    

Twitter Feed

Enabling AAA on Cisco ASA

Enabling AAA on Cisco routers and switches were covered a while back in this guide. As previously mentioned, I am quite new to Cisco ASAs since my old environment was pure routing and switching. Firewalls were handled by IT Security and the firewalls weren’t ASAs. Having said all that, I enjoy playing with ASAs whenever I get a chance. A couple of days ago, I started teaching myself using the CLI since I’ve always used the ASDM for making changes. I occasionally use the CLI, but not heavily since I am still a newbie in using ASAs. I will be taking a class in a couple of months, so I should at least be more familiar with these devices.

As I was teaching myself on how to configure an ASA from scratch using CLI, I decided to play around with AAA since I need to get our production ASAs to communicate to our TACACS+ server anyway. After playing around with it and reading the AAA section of this book, I came up with a configuration that will be our standard when building ASAs.

Without further delay, here are the steps to enable AAA on ASA using CLI:

This command enables the TACACS+ protocol and use the name TACACS+ as the AAA server group.

To specify the maximum number of failures that will be allowed for any server in the group before that server is deactivated. The default value is three.

There are two different AAA server reactivation modes in ASA: timed mode and depletion mode. The command below is the timed mode. With the timed mode, it reactivates a failed server after 30 seconds of downtime. In my limited testing, it continuously tried to reactivate the server after 30 seconds when I bring the TACACS+ server down.

With the depletion mode shown below, the failed TACACS+ server will stay down until all servers in the group are in the failed state. The default deadtime is 10 minutes.

To check the status of the TACACS+ server on a particular ASA.

This command specifies the TACACS+ server’s IP address. If you notice there’s a (inside) keyword in the command. This basically tells the ASA which interface to send the TACACS+ traffic. If the TACACS+ server is actually in the outside interface, then you just change it to outside. In this scenario, the TACACS+ is part of the inside network.

By issuing this command, it instructs the ASA to use the user’s enable password stored in the TACACS+ server first and then use the local enable password as a backup if the TACACS+ servers is unavailable.

Don’t get confused with the keyword console and serial console. The serial is the actual physical console port in the ASA. If you do not issue this command, ASA will use the user local user database for authentication. Same thing as above, if TACACS+ is available then it will always use the stored account in the server before using the local account.

This is a good idea to enable if you want to manage your ASA using ASDM. Same thing as above, if TACACS+ is available then it will always use the stored account in the server before using the local account.

This is for managing your ASA using SSH. Same thing as above, if TACACS+ is available then it will always use the stored account in the server before using the local account. If you want to manage your ASA using telnet, just change the ssh keyword to telnet. I honestly do not recommend using telnet.

Once the authentication part is finished, now you need to enable the authorization. What commands are available for the user authenticated. To enable authorization, issue the command below. Again, if TACACS+ is available then it will always use the stored account in the server before using the local account.

Once done with the authorization, you may want to monitor the commands that have been issued in the ASA. To enable accounting, issue the command below. This command will only monitor issued commands that are listed in the privilege level 15. If you want to monitor all commands, feel free to change the level to 1.

There you have it, a step by step guide on how to enable AAA on Cisco ASAs. There’s no good reason to not enable AAA especially if you can get the TACACS+ server for free!

I hope this has been helpful and thank you for reading!

Related blog posts:
Alternative to Cisco Secure ACS
TACACS+ (tac_plus daemon) ACL


Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance

Follow my CCIE journey on Twitter!

The following two tabs change content below.

Andrew Roderos

Network Engineer
Andrew Roderos is an IT professional who specializes in networking, a CCIE aspirant, and forever a student of technology. Technologies that he is mostly interested in are routing and switching, virtualization, data center, and a little bit of network security. Outside of the information technology world, he enjoys reading science fiction books, manga, and taking pictures.

Latest posts by Andrew Roderos (see all)

  • Shayaan

    I did not add “aaa authentication enable console TACACS+ LOCAL” before adding “aaa authorization command TACACS+ LOCAL”

    • Andrew Roderos

      Disconnect your ASA if it’s not production. If it is, try to bring your TACACS+ server down for several minutes until the ASA recognize that the server is down and you should be able to use the local user account stored in your ASA to make configuration changes. Of course, this is assuming that you didn’t save the config. If you didn’t save the config, you can always reboot the ASA.

  • Shayaan

    Need your help.

    After putting the following command. I can’t even logout.

    aaa authorization command TACACS+ LOCALasa-01(config)# logout

    Command authorization failed

  • Brian

    Well done, informative, descriptive and easy to follow!

    • Andrew Roderos

      Thank you! Glad I could help!