Cisco ASA Configuration prepare cisco device for tacacs and test

  1. Homepage
  2. Documentation
  3. Device Configuration
  4. Cisco Systems
  5. Cisco ASA
  6. Cisco ASA Configuration

Add Cisco ASA to TacacsGUI. ASA Configuration (pre 8.3, 8.3 and above)

Section Content

Cisco Device Configuration

Prepare a device.

conf t
interface Vlan10
 nameif mgmt ;!for example
 security-level 100
 ip address interface ip address network mask

route mgmt 0.0.0.0 0.0.0.0 default gateway;!in case if tacacsgui inside of another network

ssh  network address network mask mgmt ;!permit ssh to your network
exit

Test communication to tacacs server.

ping 10.6.20.10

Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 10.6.20.10, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms

Tacacs Server Configuration

conf t
aaa-server tacgui protocol tacacs+
aaa-server tacgui (mgmt) host tacgui ip address preshared key
aaa authentication serial console LOCAL
aaa authentication ssh console tacgui LOCAL
aaa authentication enable console tacgui LOCAL
!aaa authorization command tacgui LOCAL ;!be careful you can lose the access right
aaa accounting command tacgui

Test AAA Settings

Run the test.

test aaa-server authentication tacgui username asauser password 123123 ;!incorrect username
  Server IP Address or name: tacgui ip address
  INFO: Attempting Authentication test to IP address tacgui ip address (timeout: 12 seconds)
  ERROR: Authentication Rejected: Unspecified

test aaa-server authentication tacgui username userasa password 123123 ;!correct user
Server IP Address or name: tacgui ip address
INFO: Attempting Authentication test to IP address tacgui ip address (timeout: 12 seconds)
INFO: Authentication Successful

Auth with Tacacs user

In the example below user can execute any commands except show crypto isacmp sa and show crypto ipsec sa

login as: userasa
Sent username "userasa"
userasa@10.11.22.24's password:
Type help or '?' for a list of available commands.
asa-tacgui>
asa-tacgui> en
Password: ******
asa-tacgui# sh ver

Cisco Adaptive Security Appliance Software Version 8.2(5)
Device Manager Version 6.4(5)
...

asa-tacgui# sh interf ;!deny 'show interface*'
Command authorization failed
asa-tacgui# sh interf mgmt ;!deny 'show interface*'
Command authorization failed

asa-tacgui# sh aaa-server 
Server Group:    LOCAL
Server Protocol: Local database
Server Address:  None
Server port:     None
...
Author: Alexey Mochalin; Created at: 2018-12-07 22:02:17; Updated at: 2018-12-07 22:34:00