Enabling AAA on Cisco routers and switches were covered a while back in this guide. As previously mentioned, I am quite new to Cisco ASAs since my old environment was pure routing and switching. Firewalls were handled by IT Security and the firewalls weren’t ASAs. Having said all of that, I enjoy playing with ASAs whenever I get a chance. A couple of days ago, I started teaching myself using the CLI since I’ve always used the ASDM for making changes. I occasionally use the CLI, but not heavily since I am still a newbie in using ASAs. If you are in the same situation as I am, one of the books that are very helpful for non-full time network security engineer is Cisco ASA for Accidental Administrators: An Illustrated Step-by-Step ASA Learning and Configuration Guide. I have no experience with this book so please read through the reviews to make sure it is the one you need.
As I was teaching myself on how to configure an ASA from scratch using CLI, I decided to play around with AAA since I need to get our production ASAs to communicate to our TACACS+ server anyway. After playing around with it and reading the AAA section of Cisco ASA: All-in-One Firewall, IPS, Anti-X, and VPN Adaptive Security Appliance, I came up with a configuration that will be our standard when building ASAs.
|Related: How to configure tac_plus (TACACS+ daemon) on Ubuntu Server|
Without further delay, here are the steps to enable AAA on ASA using CLI:
This command enables the TACACS+ protocol and use the name TACACS+ as the AAA server group.
ciscoasa (config)# aaa-server TACACS+ protocol tacacs+
To specify the maximum number of failures that will be allowed for any server in the group before that server is deactivated. The default value is three.
aaa-server TACACS+ max-failed-attempts 3
There are two different AAA server reactivation modes in ASA: timed mode and depletion mode. The command below is the timed mode. With the timed mode, it reactivates a failed server after 30 seconds of downtime. In my limited testing, it continuously tried to reactivate the server after 30 seconds when I bring the TACACS+ server down.
ciscoasa(config-aaa-server-group)# reactivation-mode timed
With the depletion mode shown below, the failed TACACS+ server will stay down until all servers in the group are in the failed state. The default deadtime is 10 minutes.
ciscoasa(config-aaa-server-group)# reactivation-mode depletion
To check the status of the TACACS+ server on a particular ASA.
ciscoasa# show aaa-server proto tacacs | i status Server status: FAILED, Server disabled at 15:15:52 UTC Wed Mar 5 2012 Server status: FAILED, Server disabled at 15:15:52 UTC Wed Mar 5 2012
This command specifies the TACACS+ server’s IP address. If you notice there’s a (inside) keyword in the command. This basically tells the ASA which interface to send the TACACS+ traffic. If the TACACS+ server is actually on the outside interface, then you just change it to outside. In this scenario, the TACACS+ is part of the inside network.
aaa-server TACACS+ (inside) host 192.168.100.200 tacacs-key timeout 3 aaa-server TACACS+ (inside) host 192.168.100.201 tacacs-key timeout 3
By issuing this command, it instructs the ASA to use the user’s enable password stored in the TACACS+ server first and then use the local enable password as a backup if the TACACS+ servers are unavailable.
aaa authentication enable console TACACS+ LOCAL
Don’t get confused with the keyword console and serial console. The serial is the actual physical console port in the ASA. If you do not issue this command, ASA will use the user local user database for authentication. Same thing as above, if TACACS+ is available then it will always use the stored account on the server before using the local account.
aaa authentication serial console TACACS+ LOCAL
This is a good idea to enable if you want to manage your ASA using ASDM. Same thing as above, if TACACS+ is available then it will always use the stored account on the server before using the local account.
aaa authentication http console TACACS+ LOCAL
This is for managing your ASA using SSH. Same thing as above, if TACACS+ is available then it will always use the stored account on the server before using the local account. If you want to manage your ASA using telnet, just change the ssh keyword to telnet. I honestly do not recommend using telnet.
aaa authentication ssh console TACACS+ LOCAL
Once the authentication part is finished, now you need to enable the authorization. This tells the ASA what commands are available for the authenticated user. To enable authorization, issue the command below. Again, if TACACS+ is available then it will always use the stored account on the server before using the local account.
aaa authorization command TACACS+ LOCAL
Once done with the authorization, you may want to monitor the commands that have been issued in the ASA. To enable accounting, issue the command below. This command will only monitor issued commands that are listed in the privilege level 15. If you want to monitor all commands, feel free to change the level to 1.
aaa accounting command privilege 15 TACACS+
There you have it, a step by step guide on how to enable AAA on Cisco ASAs. There’s no good reason to not enable AAA especially if you can get the TACACS+ server for free!
I hope this has been helpful and thank you for reading!
Are you ready to improve your network security?
Let us answer more questions by contacting us. We’re here to listen and provide solutions that are right for you.
Related blog posts:
Want to learn more about ASA?
NetworkJutsu.com is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to Amazon.com.