Analyze AAA Device Administration Behavior for ASA

Available Languages

Download Options

  • PDF     (83.2 KB)
    View with Adobe Reader on a variety of devices
  • ePub     (92.2 KB)
    View in various apps on iPhone, iPad, Android, Sony Reader, or Windows Phone
  • Mobi (Kindle)     (88.2 KB)
    View on Kindle device or Kindle app on multiple devices
Updated:July 14, 2020
Document ID:215792

Bias-Free Language

The documentation set for this product strives to use bias-free language. For the purposes of this documentation set, bias-free is defined as language that does not imply discrimination based on age, disability, gender, racial identity, ethnic identity, sexual orientation, socioeconomic status, and intersectionality. Exceptions may be present in the documentation due to language that is hardcoded in the user interfaces of the product software, language used based on RFP documentation, or language that is used by a referenced third-party product. Learn more about how Cisco is using Inclusive Language.

    Introduction

    This document describes the device administration behavior when an ASA is configured for authentication and authorization using a AAA Server. This document shows the use of the Cisco Identity Service Engine (ISE) as a AAA server with an Active Directory as the External Identity Store. TACACS+ is the AAA protocol in use.


    Contributed by Dinesh Moudgil and Poonam Garg, Cisco HTTS Engineers

    Prerequisites

    Requirements

    Cisco recommends that you have knowledge of these topics:

    • Basic knowledge of ASA's CLI and ASDM
    • Connectivity between ASA and AAA server
    • AAA configuration on Cisco ISE for Authentication and Authorization

    Components Used

    The information in this document is based on the following software version:

    • ASAv running 9.9(2)
    • Cisco Identity Service Engine 2.6

    The information in this document was created from the devices in a specific lab environment. All of the devices used in this document started with a cleared (default) configuration. If your network is live, ensure that you understand the potential impact of any command.

    Background Information


    Cisco ASA supports the authentication of administrative sessions by using a local user database, a RADIUS server, or a TACACS+ server. An administrator can connect to the Cisco ASA via:

    • Telnet
    • Secure Shell (SSH)
    • Serial console connection
    • Cisco ASA Device Manager (ASDM)

    If connecting via Telnet or SSH, the user can retry authentication three times in case of user error. After the third time, the authentication session and connection to the Cisco ASA are closed.

    Before you start the configuration, you must decide which user database you will use (local or external AAA server). If you are using an external AAA server, as configured in this document, configure the AAA server group and host as covered in the below sections. You can use the aaa authentication and aaa authorization commands to require authentication and authorization verification respectively when accessing Cisco ASA for administration.

    Network Diagram

    Configure

    This is the information used for all the examples in this document.

    a) ASA configuration:

    aaa-server ISE protocol tacacs+
    aaa-server ISE (internet) host 10.197.164.22
    key *****


    b) AAA configuration:

    Authentication on the AAA server is performed against Identity Store Sequence which consists of AD and local database

    Case 1: ASA Authentication configured via AAA server


    On ASA:

    aaa authentication ssh console ISE LOCAL


    On AAA server:

    Authorization results:

    a) Shell profile

        Default privilege: 1
        Maximum privilege: 15

    b) Command set
        Permit All

    Admin Behavior:

    Connection to 10.197.164.28 closed.
    DMOUDGIL-M-N1D9:~ dmoudgil$
    DMOUDGIL-M-N1D9:~ dmoudgil$
    DMOUDGIL-M-N1D9:~ dmoudgil$ ssh ASA_priv1@10.197.164.28
    ASA_priv1@10.197.164.28's password:
    User ASA_priv1 logged in to ciscoasa
    Logins over the last 9 days: 11. Last login: 12:59:51 IST May 7 2020 from 10.65.81.163
    Failed logins since the last login: 0.
    Type help or '?' for a list of available commands.
    ciscoasa> enable
    Password: 
    ciscoasa#
    ciscoasa# show curpriv
    Username : enable_15
    Current privilege level : 15
    Current Mode/s : P_PRIV


    ASA Logs:

    May 07 2020 12:57:26: %ASA-6-113008: AAA transaction status ACCEPT : user = ASA_priv1
    May 07 2020 12:57:26: %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: ASA_priv1
    May 07 2020 12:57:26: %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: ASA_priv1
    May 07 2020 12:57:26: %ASA-6-605005: Login permitted from 10.65.81.163/56048 to internet:10.197.164.28/ssh for user "ASA_priv1"
    May 07 2020 12:57:30: %ASA-7-111009: User 'enable_15' executed cmd: show logging
    May 07 2020 12:57:40: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15
    May 07 2020 12:57:40: %ASA-5-111008: User 'ASA_priv1' executed the 'enable' command.



    Observations:

    1. Authentication for SSH session is performed via AAA server
    2. Authorization is done locally irrespective of the privilege configured on the AAA server in the authorization result
    3. After the user is authenticated via AAA server, when the user enters the keyword "enable" (which has no password set by default) or enters the enable password (if configured), the corresponding username used is enable_15

    May 07 2020 12:57:40: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15


    4. The default privilege for enable password is 15 unless you define enable password with specific privilege. For example:

    enable password C!sco123 level 9


    5. If you are using enable with different privilege, the corresponding username that comes up on ASA is enable_x (where x being the privilege)

    May 07 2020 13:20:49: %ASA-5-502103: User priv level changed: Uname: enable_8 From: 1 To: 8

    Case 2: ASA Authentication and exec authorization configured via AAA server

    On ASA:

    aaa authentication ssh console ISE LOCAL
    aaa authorization exec authentication-server


    On AAA server:

    Authorization results:

    a) Shell profile

        Default privilege: 1
        Maximum privilege: 15

    b) Command set
        Permit All



    Admin Behavior:

    DMOUDGIL-M-N1D9:~ dmoudgil$ ssh ASA_priv1@10.197.164.28
    ASA_priv1@10.197.164.28's password:
    User ASA_priv1 logged in to ciscoasa
    Logins over the last 1 days: 8. Last login: 14:12:52 IST May 7 2020 from 10.65.81.163
    Failed logins since the last login: 0. 
    Type help or '?' for a list of available commands.
    ciscoasa> show curpriv
    Username : ASA_priv1
    Current privilege level : 1
    Current Mode/s : P_UNPR
    ciscoasa> enable
    Password:
    ciscoasa# show curpriv
    Username : enable_15
    Current privilege level : 15
    Current Mode/s : P_PRIV

    ASA Logs:

    May 07 2020 13:59:54: %ASA-6-113004: AAA user authentication Successful : server = 10.197.164.22 : user = ASA_priv1
    May 07 2020 13:59:54: %ASA-6-302013: Built outbound TCP connection 75 for internet:10.197.164.22/49 (10.197.164.22/49) to identity:10.197.164.28/49068 (10.197.164.28/49068)
    May 07 2020 13:59:54: %ASA-6-113004: AAA user authorization Successful : server = 10.197.164.22 : user = ASA_priv1
    May 07 2020 13:59:54: %ASA-6-113008: AAA transaction status ACCEPT : user = ASA_priv1
    May 07 2020 13:59:54: %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: ASA_priv1
    May 07 2020 13:59:54: %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: ASA_priv1
    May 07 2020 13:59:54: %ASA-6-605005: Login permitted from 10.65.81.163/57671 to internet:10.197.164.28/ssh for user "ASA_priv1"
    May 07 2020 13:59:59: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15
    May 07 2020 13:59:59: %ASA-5-111008: User 'ASA_priv1' executed the 'enable' command.


    Observations:

    1. Authentication and exec authorization is performed via AAA server
    2. Exec authorization governs the user privilege for all the requests for the console connections (ssh, telnet and enable) configured for authentication

    Note: This does not include serial connection to the ASA

    3. AAA server is configured in a way to provide default privilege 1 and the maximum privilege of 15 as a result of the authorization
    4. When the user logs in to ASA via TACACS+ credentials configured on the AAA server, the user initially is given privilege 1 by AAA server
    5. Once the user enters keyword "enable", presses enter again (if enable password not configured) or enters enable password(if configured), they get into the privileged mode where the privilege changes to 15

    Case 3: ASA Authentication, exec authorization and command authorization configured via AAA server

    On ASA:

    aaa authentication ssh console ISE LOCAL
    aaa authorization exec authentication-server
    aaa authorization command ISE LOCAL


    On AAA server:

    Authorization results:

    a) Shell profile

        Default privilege: 1
        Maximum privilege: 15

    b) Command set
        Permit All

    Admin Behavior:

    DMOUDGIL-M-N1D9:~ dmoudgil$ ssh ASA_priv1@10.197.164.28
    ASA_priv1@10.197.164.28's password:
    User ASA_priv1 logged in to ciscoasa
    Logins over the last 1 days: 7. Last login: 17:12:23 IST May 9 2020 from 10.65.81.163
    Failed logins since the last login: 0. Last failed login: 17:12:21 IST May 9 2020 from 10.65.81.163
    Type help or '?' for a list of available commands.
    ciscoasa> show curpriv
    Username : ASA_priv1
    Current privilege level : 1
    Current Mode/s : P_UNPR
    ciscoasa> enable
    Password:
    ciscoasa# show curpriv
    Command authorization failed


    ASA Logs:

    May 09 2020 17:13:05: %ASA-6-113004: AAA user authentication Successful : server = 10.197.164.22 : user = ASA_priv1
    May 09 2020 17:13:05: %ASA-6-302013: Built outbound TCP connection 170 for internet:10.197.164.22/49 (10.197.164.22/49) to identity:10.197.164.28/21275 (10.197.164.28/21275)
    May 09 2020 17:13:05: %ASA-6-302014: Teardown TCP connection 169 for internet:10.197.164.22/49 to identity:10.197.164.28/30256 duration 0:00:00 bytes 67 TCP Reset-I from internet
    May 09 2020 17:13:05: %ASA-6-113004: AAA user authorization Successful : server = 10.197.164.22 : user = ASA_priv1
    May 09 2020 17:13:05: %ASA-6-113008: AAA transaction status ACCEPT : user = ASA_priv1
    May 09 2020 17:13:05: %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: ASA_priv1
    May 09 2020 17:13:05: %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: ASA_priv1
    May 09 2020 17:13:05: %ASA-6-605005: Login permitted from 10.65.81.163/49218 to internet:10.197.164.28/ssh for user "ASA_priv1"
    May 09 2020 17:13:05: %ASA-6-302014: Teardown TCP connection 170 for internet:10.197.164.22/49 to identity:10.197.164.28/21275 duration 0:00:00 bytes 61 TCP Reset-I from internet
    May 09 2020 17:13:05: %ASA-7-609002: Teardown local-host internet:10.197.164.22 duration 0:00:00
    May 09 2020 17:13:07: %ASA-7-609001: Built local-host internet:10.197.164.22
    May 09 2020 17:13:07: %ASA-6-302013: Built outbound TCP connection 171 for internet:10.197.164.22/49 (10.197.164.22/49) to identity:10.197.164.28/53081 (10.197.164.28/53081)
    May 09 2020 17:13:07: %ASA-7-111009: User 'ASA_priv1' executed cmd: show curpriv
    May 09 2020 17:13:08: %ASA-6-302014: Teardown TCP connection 171 for internet:10.197.164.22/49 to identity:10.197.164.28/53081 duration 0:00:00 bytes 82 TCP Reset-I from internet
    May 09 2020 17:13:08: %ASA-7-609002: Teardown local-host internet:10.197.164.22 duration 0:00:00
    May 09 2020 17:13:10: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15
    May 09 2020 17:13:10: %ASA-5-111008: User 'ASA_priv1' executed the 'enable' command.
    May 09 2020 17:13:12: %ASA-7-609001: Built local-host internet:10.197.164.22
    May 09 2020 17:13:12: %ASA-6-302013: Built outbound TCP connection 172 for internet:10.197.164.22/49 (10.197.164.22/49) to identity:10.197.164.28/46803 (10.197.164.28/46803)
    May 09 2020 17:13:12: %ASA-6-113016: AAA credentials rejected : reason = Unspecified : server = 10.197.164.22 : user = ***** : user IP = 10.65.81.163
    May 09 2020 17:13:12: %ASA-6-302014: Teardown TCP connection 172 for internet:10.197.164.22/49 to identity:10.197.164.28/46803 duration 0:00:00 bytes 82 TCP Reset-I from internet
    May 09 2020 17:13:12: %ASA-7-609002: Teardown local-host internet:10.197.164.22 duration 0:00:00
    May 09 2020 17:13:20: %ASA-7-609001: Built local-host internet:10.197.164.22
    May 09 2020 17:13:20: %ASA-6-302013: Built outbound TCP connection 173 for internet:10.197.164.22/49 (10.197.164.22/49) to identity:10.197.164.28/6934 (10.197.164.28/6934)
    May 09 2020 17:13:20: %ASA-6-113016: AAA credentials rejected : reason = Unspecified : server = 10.197.164.22 : user = ***** : user IP = 10.65.81.163

    Observations:

    1. Authentication and exec authorization is performed via AAA server
    2. Exec authorization governs the user privilege for all the requests for the console connections (ssh, telnet and enable) configured for authentication
    3. Command authorization is performed by AAA server using the command "aaa authorization command ISE LOCAL"

    Note: This does not include serial connection to the ASA

    4. When the user logs in to ASA via TACACS+ credentials configured on the AAA server, the user initially is given privilege 1 by AAA server
    5. Once the user enters keyword "enable", presses enter again (if enable password not configured) or enters enable password (if configured), they get into the privileged mode where the privilege changes to 15
    6. Command authorization fails with this configuration because the AAA server shows the command being issued by username "enable_15" instead of real logged in authenticated user.
    7. Any command executed on an existing session will also fail due to command authorization failure
    8. To address this, create a user named "enable_15" on AAA server or on AD and ASA (for local fallback) with a random password



    Once the user is configured on the AAA server or AD, the following behavior is observed:

    i. For initial authentication, the AAA server verifies the real username of the logged-in user
    ii. Once the enable password is entered, it is verified locally on the ASA since enable authentication does not point to the AAA server in this configuration
    iii. After enabling password, all the commands are executed with the username "enable_15" and AAA allows those commands by the virtue of the existence of that username on AAA server or AD

    Once the user "enable_15" is configured, the administrator is allowed to transition from privilege mode to configuration mode on the ASA.


    Admin Behavior:

    DMOUDGIL-M-N1D9:~ dmoudgil$ ssh ASA_priv1@10.197.164.28
    ASA_priv1@10.197.164.28's password:
    User ASA_priv1 logged in to ciscoasa
    Logins over the last 1 days: 2. Last login: 16:50:42 IST May 9 2020 from 10.65.81.163
    Failed logins since the last login: 5. Last failed login: 16:53:55 IST May 9 2020 from 10.65.81.163
    Type help or '?' for a list of available commands.
    ciscoasa> show curpriv
    Username : ASA_priv1
    Current privilege level : 1
    Current Mode/s : P_UNPR
    ciscoasa> enable
    Password:
    ciscoasa# show curpriv
    Username : enable_15
    Current privilege level : 15
    Current Mode/s : P_PRIV
    ciscoasa# configure terminal

    ASA Logs:

    May 09 2020 17:05:29: %ASA-6-113004: AAA user authentication Successful : server = 10.197.164.22 : user = ASA_priv1
    May 09 2020 17:05:29: %ASA-6-302013: Built outbound TCP connection 113 for internet:10.197.164.22/49 (10.197.164.22/49) to identity:10.197.164.28/31109 (10.197.164.28/31109)
    May 09 2020 17:05:29: %ASA-6-113004: AAA user authorization Successful : server = 10.197.164.22 : user = ASA_priv1
    May 09 2020 17:05:29: %ASA-6-113008: AAA transaction status ACCEPT : user = ASA_priv1
    May 09 2020 17:05:29: %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: ASA_priv1
    May 09 2020 17:05:29: %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: ASA_priv1
    May 09 2020 17:05:29: %ASA-6-302014: Teardown TCP connection 112 for internet:10.197.164.22/49 to identity:10.197.164.28/7703 duration 0:00:00 bytes 67 TCP Reset-I from internet
    May 09 2020 17:05:29: %ASA-6-605005: Login permitted from 10.65.81.163/65524 to internet:10.197.164.28/ssh for user "ASA_priv1"
    May 09 2020 17:05:29: %ASA-6-302014: Teardown TCP connection 113 for internet:10.197.164.22/49 to identity:10.197.164.28/31109 duration 0:00:00 bytes 61 TCP Reset-I from internet
    May 09 2020 17:05:29: %ASA-7-609002: Teardown local-host internet:10.197.164.22 duration 0:00:00
    May 09 2020 17:05:32: %ASA-7-609001: Built local-host internet:10.197.164.22
    May 09 2020 17:05:32: %ASA-6-302013: Built outbound TCP connection 114 for internet:10.197.164.22/49 (10.197.164.22/49) to identity:10.197.164.28/64339 (10.197.164.28/64339)
    May 09 2020 17:05:32: %ASA-7-111009: User 'ASA_priv1' executed cmd: show curpriv
    May 09 2020 17:05:32: %ASA-6-302014: Teardown TCP connection 114 for internet:10.197.164.22/49 to identity:10.197.164.28/64339 duration 0:00:00 bytes 82 TCP Reset-I from internet
    May 09 2020 17:05:32: %ASA-7-609002: Teardown local-host internet:10.197.164.22 duration 0:00:00
    May 09 2020 17:05:35: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15
    May 09 2020 17:05:35: %ASA-5-111008: User 'ASA_priv1' executed the 'enable' command.
    May 09 2020 17:05:37: %ASA-7-609001: Built local-host internet:10.197.164.22
    May 09 2020 17:05:37: %ASA-6-302013: Built outbound TCP connection 115 for internet:10.197.164.22/49 (10.197.164.22/49) to identity:10.197.164.28/4236 (10.197.164.28/4236)
    May 09 2020 17:05:37: %ASA-7-111009: User 'enable_15' executed cmd: show curpriv
    May 09 2020 17:05:37: %ASA-6-302014: Teardown TCP connection 115 for internet:10.197.164.22/49 to identity:10.197.164.28/4236 duration 0:00:00 bytes 82 TCP Reset-I from internet
    May 09 2020 17:05:37: %ASA-7-609002: Teardown local-host internet:10.197.164.22 duration 0:00:00
    May 09 2020 17:05:44: %ASA-7-609001: Built local-host internet:10.197.164.22
    May 09 2020 17:05:44: %ASA-6-302013: Built outbound TCP connection 116 for internet:10.197.164.22/49 (10.197.164.22/49) to identity:10.197.164.28/27478 (10.197.164.28/27478)
    May 09 2020 17:05:44: %ASA-5-111007: Begin configuration: 10.65.81.163 reading from terminal
    May 09 2020 17:05:44: %ASA-5-111008: User 'enable_15' executed the 'configure terminal' command.
    May 09 2020 17:05:44: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.65.81.163, executed 'configure terminal'

    Note: If command authorization via TACACS is configured on the ASA, it is mandatory to have "local" as a fallback when the AAA server is not reachable.
    This is because command authorization applies to all the ASA sessions (serial console, ssh, telnet) even when authentication is not configured for serial console. In such case where AAA server is not reachable and user "enable_15" is not present in the local database, the administrator gets the following error:

    Fallback authorization. Username 'enable_15' not in LOCAL database
    Command authorization failed

    ASA Logs:


    %ASA-4-409023: Attempting AAA Fallback method LOCAL for Authentication request for user cisco : Auth-server group ISE unreachable
    %ASA-6-113012: AAA user authentication Successful : local database : user = cisco
    %ASA-4-409023: Attempting AAA Fallback method LOCAL for Authentication request for user cisco : Auth-server group ISE unreachable
    %ASA-6-113004: AAA user authorization Successful : server = LOCAL : user = cisco
    %ASA-6-113008: AAA transaction status ACCEPT : user = cisco
    %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: cisco
    %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: cisco
    %ASA-6-605005: Login permitted from 10.65.81.163/65416 to internet:10.197.164.28/ssh for user "cisco"
    %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15
    %ASA-5-111008: User 'cisco' executed the 'enable' command.
    %ASA-4-409023: Attempting AAA Fallback method LOCAL for Authorization request for user enable_15 : Auth-server group ISE unreachable
    %ASA-5-111007: Begin configuration: 10.65.81.163 reading from terminal
    %ASA-5-111008: User 'enable_15' executed the 'configure terminal' command.
    %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.65.81.163, executed 'configure terminal'
    %ASA-4-409023: Attempting AAA Fallback method LOCAL for Authorization request for user enable_15 : Auth-server group ISE unreachable

    Note: With the above configuration, command authorization will work but command accounting will still show username "enable_15" instead of the real username of the logged-in user. This becomes difficult for administrators to determine which user executed which particular command on the ASA.

    To address this accounting issue pertaining to "enable_15" user:

    1. Use the keyword "auto-enable" in exec authorization command on the ASA
    2. Set the default and maximum privilege to 15 in TACACS shell profile assigned to the authenticated user

    Case 4: ASA Authentication, exec authorization using "auto-enable" and command authorization configured via AAA server

    On ASA:

    aaa authentication ssh console ISE LOCAL
    aaa authorization exec authentication-server auto-enable
    aaa authorization command ISE LOCAL


    On AAA server:

    Authorization results:

    a) Shell profile

        Default privilege: 15
        Maximum privilege: 15

    b) Command set
        Permit All

    Admin Behavior:

    DMOUDGIL-M-N1D9:~ dmoudgil$ ssh ASA_priv1@10.197.164.28
    ASA_priv1@10.197.164.28's password:
    User ASA_priv1 logged in to ciscoasa
    Logins over the last 1 days: 8. Last login: 17:13:05 IST May 9 2020 from 10.65.81.163
    Failed logins since the last login: 0. Last failed login: 17:12:21 IST May 9 2020 from 10.65.81.163
    Type help or '?' for a list of available commands.
    ciscoasa# show curpriv
    Username : ASA_priv1
    Current privilege level : 15
    Current Mode/s : P_PRIV
    ciscoasa# configure terminal
    ciscoasa(config)#


    ASA Logs:

    May 09 2020 17:40:04: %ASA-6-113004: AAA user authentication Successful : server = 10.197.164.22 : user = ASA_priv1
    May 09 2020 17:40:04: %ASA-6-302013: Built outbound TCP connection 298 for internet:10.197.164.22/49 (10.197.164.22/49) to identity:10.197.164.28/57617 (10.197.164.28/57617)
    May 09 2020 17:40:04: %ASA-6-113004: AAA user authorization Successful : server = 10.197.164.22 : user = ASA_priv1
    May 09 2020 17:40:04: %ASA-6-113008: AAA transaction status ACCEPT : user = ASA_priv1
    May 09 2020 17:40:04: %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: ASA_priv1
    May 09 2020 17:40:04: %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: ASA_priv1
    May 09 2020 17:40:04: %ASA-6-605005: Login permitted from 10.65.81.163/49598 to internet:10.197.164.28/ssh for user "ASA_priv1"
    May 09 2020 17:40:04: %ASA-6-302014: Teardown TCP connection 297 for internet:10.197.164.22/49 to identity:10.197.164.28/6083 duration 0:00:00 bytes 67 TCP Reset-I from internet
    May 09 2020 17:40:04: %ASA-7-609001: Built local-host internet:139.59.219.101
    May 09 2020 17:40:04: %ASA-6-302015: Built outbound UDP connection 299 for internet:139.59.219.101/123 (139.59.219.101/123) to mgmt-gateway:192.168.100.4/123 (10.197.164.28/195)
    May 09 2020 17:40:04: %ASA-6-302014: Teardown TCP connection 298 for internet:10.197.164.22/49 to identity:10.197.164.28/57617 duration 0:00:00 bytes 61 TCP Reset-I from internet
    May 09 2020 17:40:04: %ASA-7-609002: Teardown local-host internet:10.197.164.22 duration 0:00:00
    May 09 2020 17:40:09: %ASA-7-609001: Built local-host internet:10.197.164.22
    May 09 2020 17:40:09: %ASA-6-302013: Built outbound TCP connection 300 for internet:10.197.164.22/49 (10.197.164.22/49) to identity:10.197.164.28/4799 (10.197.164.28/4799)
    May 09 2020 17:40:09: %ASA-7-111009: User 'ASA_priv1' executed cmd: show curpriv
    May 09 2020 17:40:09: %ASA-6-302014: Teardown TCP connection 300 for internet:10.197.164.22/49 to identity:10.197.164.28/4799 duration 0:00:00 bytes 82 TCP Reset-I from internet
    May 09 2020 17:40:09: %ASA-7-609002: Teardown local-host internet:10.197.164.22 duration 0:00:00
    May 09 2020 17:40:14: %ASA-5-111007: Begin configuration: 10.65.81.163 reading from terminal
    May 09 2020 17:40:14: %ASA-5-111008: User 'ASA_priv1' executed the 'configure terminal' command.
    May 09 2020 17:40:14: %ASA-5-111010: User 'ASA_priv1', running 'CLI' from IP 10.65.81.163, executed 'configure terminal'

    Observations:

    1. Authentication and exec authorization is performed via AAA server
    2. Exec authorization governs the user privilege for all the requests for the console connections(ssh, telnet and enable) configured for authentication

    Note: This does not include serial connection to the ASA

    3. Command authorization is performed by AAA server using the command "aaa authorization command ISE LOCAL"
    4. When the user logs in to ASA via TACACS+ credentials configured on the AAA server, the user gets privilege 15 by AAA server and thus logs into privilege mode
    5. With the above configuration, the user is not required to enter enable password, and user "enable_15" is not required to be configured on the ASA or AAA server.
    6. AAA server will now report the command authorization request coming from real username of the logged-in user

    Related Information

    Here are some documents for reference related to AAA Device Administration for ASA:

    https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365#toc-hId--1046199281


    https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200207-ISE-2-0-ASA-CLI-TACACS-Authentication.pdf

    TAC Authored

    Contributed by Cisco Engineers

    • Created by Dinesh Moudgil
      HTTS Engineer
    • Created by Poonam Garg
      HTTS Engineer
    • Edited by Cesar Ivan Monterrubio Ramirez
      Technical Consulting Engineer

    Was this Document Helpful?

    FeedbackFeedback

    Contact Cisco

    This Document Applies to These Products