Velocity Reviews - Computer Hardware Reviews

Velocity Reviews > Newsgroups > Computing > Cisco > restricting access to Cisco ASA console

Reply
Thread Tools

restricting access to Cisco ASA console

 
 
aprzestroga@op.pl
Guest
Posts: n/a
 
      05-15-2009
Hi All,

I am in need to restrict access to my Cisco ASA firewall console port.
Currently there is no need to specify password when accessing it
(required only when changing privilege level to 15). I would like to
configure it so that when someone tries to access the console port, he
will need to authenticate via TACACs (and if TACACs server cannot be
reached, specify the local enable password).

On my routers I have it configured as follows:

aaa authentication login default group tacacs+ local
aaa authentication login console_access enable
aaa authentication enable default group tacacs+ enable

tacacs-server host 192.168.30.254
tacacs-server key 7 <REMOVED>

line con 0
exec-timeout 15 0
logging synchronous
login authentication console_access



On my ASA I have tried this:
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (management) host 192.168.30.254
key <REMOVED>
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL

Unfortunately, I am not being prompted for password when accessing the
firewall via the console port (it works fine for the SSH sessions). Is
it because I am missing the below line?

aaa authentication serial console TACACS+ LOCAL

Also, I do not understand what is the purpose of having the "console"
keyword in lines containing telnet, ssh and enable. Could you please
clarify this for me?

Thank you.

Regards,
AP
 
Reply With Quote
 
 
 
 
flamer die.spam@hotmail.com
Guest
Posts: n/a
 
      05-18-2009
try this:

aaa new-model
aaa authentication login default group tacacs+ local
aaa authentication enable default group tacacs+ local
aaa authorization console
aaa authorization exec default group radius if-authenticated
aaa accounting suppress null-username

tacacs-server host 192.168.30.254
tacacs-server key 7 <REMOVED>

line con 0
exec-timeout 20 0
(no extra commands here as you just set tacas as the default)

Flamer
 
Reply With Quote
 
 
 
 
Adam Przestroga
Guest
Posts: n/a
 
      05-18-2009
flamer http://www.velocityreviews.com/forums/(E-Mail Removed) wrote:
> try this:
>
> aaa new-model
> aaa authentication login default group tacacs+ local
> aaa authentication enable default group tacacs+ local
> aaa authorization console
> aaa authorization exec default group radius if-authenticated
> aaa accounting suppress null-username
>
> tacacs-server host 192.168.30.254
> tacacs-server key 7 <REMOVED>
>
> line con 0
> exec-timeout 20 0
> (no extra commands here as you just set tacas as the default)
>
> Flamer


Flamer,

I think you misunderstood me. I do not have problems setting this up on
Cisco switches and routers, but Cisco ASA. I do not think that there is
a "line console 0" equivalent on Cisco ASA. Am I right?

Thanks,
AP
 
Reply With Quote
 
Daniel-G
Guest
Posts: n/a
 
      05-18-2009
(E-Mail Removed) said the following on 05/16/2009 12:40 AM:
> Hi All,
>
> I am in need to restrict access to my Cisco ASA firewall console port.
> Currently there is no need to specify password when accessing it
> (required only when changing privilege level to 15). I would like to
> configure it so that when someone tries to access the console port, he
> will need to authenticate via TACACs (and if TACACs server cannot be
> reached, specify the local enable password).
>
> On my routers I have it configured as follows:
>
> aaa authentication login default group tacacs+ local
> aaa authentication login console_access enable
> aaa authentication enable default group tacacs+ enable
>
> tacacs-server host 192.168.30.254
> tacacs-server key 7 <REMOVED>
>
> line con 0
> exec-timeout 15 0
> logging synchronous
> login authentication console_access
>
>
>
> On my ASA I have tried this:
> aaa-server TACACS+ protocol tacacs+
> aaa-server TACACS+ (management) host 192.168.30.254
> key <REMOVED>
> aaa authentication ssh console TACACS+ LOCAL
> aaa authentication enable console TACACS+ LOCAL
>
> Unfortunately, I am not being prompted for password when accessing the
> firewall via the console port (it works fine for the SSH sessions). Is
> it because I am missing the below line?
>
> aaa authentication serial console TACACS+ LOCAL
>
> Also, I do not understand what is the purpose of having the "console"
> keyword in lines containing telnet, ssh and enable. Could you please
> clarify this for me?
>
> Thank you.
>
> Regards,
> AP

As far as I remember, the only way to limit console access is :
1- Limit the logging level to critical
2- Set a secret password

the keyword console is a keyword to describe to which device the
authentication is valid (it could be network for vpn group
authentication, for example)

aaa is valid on an ASA
http://www.cisco.com/en/US/products/...f1b.shtml#conf


Hope this helps

Daniel
 
Reply With Quote
 
Adam Przestroga
Guest
Posts: n/a
 
      05-18-2009
Daniel-G wrote:
> As far as I remember, the only way to limit console access is :
> 1- Limit the logging level to critical
> 2- Set a secret password
>
> the keyword console is a keyword to describe to which device the
> authentication is valid (it could be network for vpn group
> authentication, for example)
>
> aaa is valid on an ASA
> http://www.cisco.com/en/US/products/...f1b.shtml#conf


Daniel,

Thank you for taking time and responding to my post. I am not sure I
understand why logging needs to be set to critical (also what logging
are you referring to - console, monitor, syslog or buffer)? I have
already set the secret password.

Thanks,
AP
 
Reply With Quote
 
Daniel-G
Guest
Posts: n/a
 
      05-19-2009
Adam Przestroga said the following on 05/19/2009 12:56 AM:
> Daniel-G wrote:
>> As far as I remember, the only way to limit console access is :
>> 1- Limit the logging level to critical
>> 2- Set a secret password
>>
>> the keyword console is a keyword to describe to which device the
>> authentication is valid (it could be network for vpn group
>> authentication, for example)
>>
>> aaa is valid on an ASA
>> http://www.cisco.com/en/US/products/...f1b.shtml#conf
>>

>
> Daniel,
>
> Thank you for taking time and responding to my post. I am not sure I
> understand why logging needs to be set to critical (also what logging
> are you referring to - console, monitor, syslog or buffer)? I have
> already set the secret password.
>
> Thanks,
> AP

I was talking about logging level to console
actually you don't really need to tune it, but the console displays all
message at the level it's configured for without having to logging.
Messages displayed can reveal your internal structure :
%PIX% .... deny tcp 1.1.1.1(7130) to 3.3.3.3(8080)
It's just a practice I find good
That's all

Daniel
 
Reply With Quote
 
 
 
Reply

Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are Off


Similar Threads
Thread Thread Starter Forum Replies Last Post
ASA error %ASA-4-402126 "please forward this to Cisco" Tilman Schmidt Cisco 1 10-22-2008 03:54 AM
IPSec PIX 501 - ASA 5510 -> log flooded with %ASA-4-402116 Tilman Schmidt Cisco 0 01-24-2008 10:49 AM
Access Console on an ASA using USB or Ethernet? chris.crowder@gmail.com Cisco 4 10-06-2007 09:00 AM
ASA 5505 as hardware vpn client to PIX 501 or ASA 5505 with network extension mode activated bjorn@kumlait.se Cisco 1 06-17-2007 12:43 PM
WCCP on ASA & traffic between physical interfaces on ASA apsolar@gmail.com Cisco 3 02-15-2007 12:16 AM



Advertisments