Tacacs Configuration on Cisco ASA 9.x

1. Overview

 

Tacacs Plus is a protocols for security with AAA services which are , authentication, authorization, accounting. It is used as a centralized authentication to network devices. It also can provide a specific authorization with centralized access to particular user to work with network devices. With accounting, it gives a mandatory audit logs by logging all actions executed by privileged users.

In this document will show how to configure Tacacs Plus protocols for security on Cisco ASA firewall running IOS 9.x.

2. Prerequisites

 

In this article of how to configure Tacacs+ protocols for security on Cisco ASA 9.x, it is presumed that:

a. You had already installed a tacacs server. If you don’t please kindly check one of the following links.

1. Configuring Tacacs Plus with Tacacs Plus User Authentication on RHEL/CentOS 7
2. Configuring Tacacs Plus with Linux Systems Users Authentication on RHEL/CentOS 7
3. Configuring Tacacs Plus with Active Directory User Authentication on RHEL/CentOS 7

b. You had already configured SSH remote management on your Cisco ASA firewall. You would probably like to check this link SSH Configuration on Cisco ASA 9.x.

3. Activate the Backup User account

 

For Cisco ASA is it better to use local user account for console login. It is recommended to configure Tacacs Plus for SSH remote login only.

# aaa authentication serial console LOCAL

Before starting to apply Tacacs Plus protocols security configuration on your Cisco ASA firewall, it is mandatory to create a privilege level and enable a default user account name “enable_15” first. Without doing this two mandatory actions, You will have problem after applying Tacacs Plus authorization command. You will not be able to execute any command on your Cisco ASA firewall any more and you will end up of reboot your ASA firewall and reset the password.

# privilege show level 5 mode configure command filter
# username enable_15 password 3333 privilege 15

4. Configure Tacacs Plus Server

 

The following are the commands to configure Tacacs Plus server on Cisco ASA running IOS 9.x.

# aaa-server TS-AAA protocol tacacs+
reactivation-mode timed
max-failed-attempts 2
# aaa-server TS-AAA (inside) host 192.168.171.13
key TS@123

5. Configure Authentication

 

Now it is time to tell the Cisco ASA firewall to authenticate again user with Tacacs Plus server. The option LOCAL instructs the router or switch to fail over to local user accounts if Tacacs Plus centralized access server is not reachable.

# no aaa authentication ssh console LOCAL
# aaa authentication ssh console VK-AAA LOCAL

6. Configure Authorization

 

When a Cisco ASA firewall is applied with the authorization commands, the user who is able to login can only execute the amount of a specific commands that are allowed on Tacacs Plush protocols security server. The option auto-enable is very important for authorization to work. When you login your ASA firewall with SSH, you don’t need to type command enable from the global configuration mode.

# aaa authorization exec authentication-server auto-enable
# aaa authorization command TS-AAA LOCAL

7. Configure Accounting

 

When we apply accounting command on a router or switch, it will start to log all executed command by a particular user to Tacacs Plus server. So, we can know who doing on our network devices.

# aaa accounting ssh console TS-AAA
# aaa accounting command TS-AAA

8. Testing

 

It is strongly recommend to test Tacacs Plus configuration. There are three thing to test as the following.

  1. Test login to your Cisco ASA firewall using a full privilege account from Tacacs Plus user databases.
  2. Test login to your Cisco ASA firewall using a limited privilege account from Tacacs Plus user databases and make sure that this account can only execute the commands that are allowed on Tacacs Plus server only.
  3. Test disconnect your Cisco ASA firewall from Tacacs Plus server and make sure that you still be able to work with your switch or router via SSH or direct console using local user database. This is extremely important because in case Tacacs Plus server is unavailable, we still be able to manage our network devices.

9. Conclusion

 

You should be able to configure Tacacs Plus on Cisco ASA running IOS version 9.x now. Tacacs+ is the only security protocols used to provide centralized access into networks. Hopefully, you can find this article informative. If you have any questions or suggestions you can always leave your comments below. I will try all of my best to review and reply them.

Comments

comments