restricting access to Cisco ASA console

Discussion in 'Cisco' started by aprzestroga@op.pl, May 15, 2009.

  1. Guest

    Hi All,

    I am in need to restrict access to my Cisco ASA firewall console port.
    Currently there is no need to specify password when accessing it
    (required only when changing privilege level to 15). I would like to
    configure it so that when someone tries to access the console port, he
    will need to authenticate via TACACs (and if TACACs server cannot be
    reached, specify the local enable password).

    On my routers I have it configured as follows:

    aaa authentication login default group tacacs+ local
    aaa authentication login console_access enable
    aaa authentication enable default group tacacs+ enable

    tacacs-server host 192.168.30.254
    tacacs-server key 7 <REMOVED>

    line con 0
    exec-timeout 15 0
    logging synchronous
    login authentication console_access



    On my ASA I have tried this:
    aaa-server TACACS+ protocol tacacs+
    aaa-server TACACS+ (management) host 192.168.30.254
    key <REMOVED>
    aaa authentication ssh console TACACS+ LOCAL
    aaa authentication enable console TACACS+ LOCAL

    Unfortunately, I am not being prompted for password when accessing the
    firewall via the console port (it works fine for the SSH sessions). Is
    it because I am missing the below line?

    aaa authentication serial console TACACS+ LOCAL

    Also, I do not understand what is the purpose of having the "console"
    keyword in lines containing telnet, ssh and enable. Could you please
    clarify this for me?

    Thank you.

    Regards,
    AP
     
    , May 15, 2009
    #1
    1. Advertising

  2. flamer Guest

    try this:

    aaa new-model
    aaa authentication login default group tacacs+ local
    aaa authentication enable default group tacacs+ local
    aaa authorization console
    aaa authorization exec default group radius if-authenticated
    aaa accounting suppress null-username

    tacacs-server host 192.168.30.254
    tacacs-server key 7 <REMOVED>

    line con 0
    exec-timeout 20 0
    (no extra commands here as you just set tacas as the default)

    Flamer
     
    flamer , May 18, 2009
    #2
    1. Advertising

  3. flamer wrote:
    > try this:
    >
    > aaa new-model
    > aaa authentication login default group tacacs+ local
    > aaa authentication enable default group tacacs+ local
    > aaa authorization console
    > aaa authorization exec default group radius if-authenticated
    > aaa accounting suppress null-username
    >
    > tacacs-server host 192.168.30.254
    > tacacs-server key 7 <REMOVED>
    >
    > line con 0
    > exec-timeout 20 0
    > (no extra commands here as you just set tacas as the default)
    >
    > Flamer


    Flamer,

    I think you misunderstood me. I do not have problems setting this up on
    Cisco switches and routers, but Cisco ASA. I do not think that there is
    a "line console 0" equivalent on Cisco ASA. Am I right?

    Thanks,
    AP
     
    Adam Przestroga, May 18, 2009
    #3
  4. Daniel-G Guest

    said the following on 05/16/2009 12:40 AM:
    > Hi All,
    >
    > I am in need to restrict access to my Cisco ASA firewall console port.
    > Currently there is no need to specify password when accessing it
    > (required only when changing privilege level to 15). I would like to
    > configure it so that when someone tries to access the console port, he
    > will need to authenticate via TACACs (and if TACACs server cannot be
    > reached, specify the local enable password).
    >
    > On my routers I have it configured as follows:
    >
    > aaa authentication login default group tacacs+ local
    > aaa authentication login console_access enable
    > aaa authentication enable default group tacacs+ enable
    >
    > tacacs-server host 192.168.30.254
    > tacacs-server key 7 <REMOVED>
    >
    > line con 0
    > exec-timeout 15 0
    > logging synchronous
    > login authentication console_access
    >
    >
    >
    > On my ASA I have tried this:
    > aaa-server TACACS+ protocol tacacs+
    > aaa-server TACACS+ (management) host 192.168.30.254
    > key <REMOVED>
    > aaa authentication ssh console TACACS+ LOCAL
    > aaa authentication enable console TACACS+ LOCAL
    >
    > Unfortunately, I am not being prompted for password when accessing the
    > firewall via the console port (it works fine for the SSH sessions). Is
    > it because I am missing the below line?
    >
    > aaa authentication serial console TACACS+ LOCAL
    >
    > Also, I do not understand what is the purpose of having the "console"
    > keyword in lines containing telnet, ssh and enable. Could you please
    > clarify this for me?
    >
    > Thank you.
    >
    > Regards,
    > AP

    As far as I remember, the only way to limit console access is :
    1- Limit the logging level to critical
    2- Set a secret password

    the keyword console is a keyword to describe to which device the
    authentication is valid (it could be network for vpn group
    authentication, for example)

    aaa is valid on an ASA
    http://www.cisco.com/en/US/products...figuration_example09186a008069bf1b.shtml#conf


    Hope this helps

    Daniel
     
    Daniel-G, May 18, 2009
    #4
  5. Daniel-G wrote:
    > As far as I remember, the only way to limit console access is :
    > 1- Limit the logging level to critical
    > 2- Set a secret password
    >
    > the keyword console is a keyword to describe to which device the
    > authentication is valid (it could be network for vpn group
    > authentication, for example)
    >
    > aaa is valid on an ASA
    > http://www.cisco.com/en/US/products...figuration_example09186a008069bf1b.shtml#conf


    Daniel,

    Thank you for taking time and responding to my post. I am not sure I
    understand why logging needs to be set to critical (also what logging
    are you referring to - console, monitor, syslog or buffer)? I have
    already set the secret password.

    Thanks,
    AP
     
    Adam Przestroga, May 18, 2009
    #5
  6. Daniel-G Guest

    Adam Przestroga said the following on 05/19/2009 12:56 AM:
    > Daniel-G wrote:
    >> As far as I remember, the only way to limit console access is :
    >> 1- Limit the logging level to critical
    >> 2- Set a secret password
    >>
    >> the keyword console is a keyword to describe to which device the
    >> authentication is valid (it could be network for vpn group
    >> authentication, for example)
    >>
    >> aaa is valid on an ASA
    >> http://www.cisco.com/en/US/products...figuration_example09186a008069bf1b.shtml#conf
    >>

    >
    > Daniel,
    >
    > Thank you for taking time and responding to my post. I am not sure I
    > understand why logging needs to be set to critical (also what logging
    > are you referring to - console, monitor, syslog or buffer)? I have
    > already set the secret password.
    >
    > Thanks,
    > AP

    I was talking about logging level to console
    actually you don't really need to tune it, but the console displays all
    message at the level it's configured for without having to logging.
    Messages displayed can reveal your internal structure :
    %PIX% .... deny tcp 1.1.1.1(7130) to 3.3.3.3(8080)
    It's just a practice I find good
    That's all

    Daniel
     
    Daniel-G, May 19, 2009
    #6
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. =?Utf-8?B?YW5keSBi?=

    home network but restricting childrens access to the web

    =?Utf-8?B?YW5keSBi?=, Jul 20, 2005, in forum: Wireless Networking
    Replies:
    4
    Views:
    680
    =?Utf-8?B?YW5keSBi?=
    Jul 26, 2005
  2. Frank Beider
    Replies:
    3
    Views:
    5,764
    Doug McIntyre
    Oct 20, 2003
  3. Rik Bain
    Replies:
    1
    Views:
    468
    Patrick
    Oct 18, 2003
  4. Donald Oldag
    Replies:
    0
    Views:
    996
    Donald Oldag
    Mar 7, 2004
  5. Replies:
    4
    Views:
    932
Loading...

Share This Page