[RADIATOR] TACACS+ and CISCO ASA

Alexander Hartmaier alexander.hartmaier at t-systems.at
Wed Dec 14 11:59:41 CST 2011 

Our config is:

aaa-server tacacs protocol tacacs+
aaa-server tacacs (interface) host tacacs1.our.fqdn
     key ***
aaa-server tacacs (interface) host tacacs2.our.fqdn
     key ***

aaa authentication enable console tacacs LOCAL
aaa authentication http console tacacs LOCAL
aaa authentication ssh console tacacs LOCAL
aaa authorization command LOCAL
aaa authorization exec authentication-server

Did you enable trace level 5 in radiator and checked the logs?

Cheers, Alex

Am 2011-12-12 18:40, schrieb Connolly, Robert T.:
>
> Hi Alex,
>
>             I work with Steve Kim.  This is what I am using on the ASA 
> for authentication and authorization, where radiator-1 is the group 
> name I use:
>
> aaa authorization exec authentication-server
>
> aaa authentication telnet console radiator-1 LOCAL
>
> aaa authentication http console radiator-1 LOCAL
>
> aaa authentication ssh console radiator-1 LOCAL
>
> aaa authentication serial console radiator-1 LOCAL
>
>             Am I missing anything?
>
>             Thank you.
>
> Robert
>
> *Robert T. Connolly, *MBA**
>
> Information Systems
>
> Senior Network Specialist
>
> Davis Polk & Wardwell LLP
> 450 Lexington Avenue
> New York, NY 10017
>
> 212 450 6185   tel
>
> robert.connolly at davispolk.com <mailto:robert.connolly at davispolk.com>
>
> Davis Polk
>
> ------------------------------------------------------------------------
>
> Confidentiality Note: This email is intended only for the person or 
> entity to which it is addressed and may contain information that is 
> privileged, confidential or otherwise protected from disclosure. 
> Unauthorized use, dissemination, distribution or copying of this email 
> or the information herein or taking any action in reliance on the 
> contents of this email or the information herein, by anyone other than 
> the intended recipient, or an employee or agent responsible for 
> delivering the message to the intended recipient, is strictly 
> prohibited. If you have received this email in error, please notify 
> the sender immediately and destroy the original message, any 
> attachments thereto and all copies. Please refer to the firm's privacy 
> policy 
> <http://www.davispolk.com/files/uploads/davispolk.master.privacypolicy.sep10.pdf> 
> located at www.davispolk.com <http://www.davispolk.com/> for important 
> information on this policy.
>
> *From:*radiator-bounces at open.com.au 
> [mailto:radiator-bounces at open.com.au] *On Behalf Of *Alexander Hartmaier
> *Sent:* Monday, December 12, 2011 12:11 PM
> *Cc:* radiator at open.com.au
> *Subject:* Re: [RADIATOR] TACACS+ and CISCO ASA
>
> Did you enable tacacs authentication and authorization on the ASA?
>
> Am 2011-12-12 18:06, schrieb Kim, Steve:
>
> Alex,
>
> Thanks for the reply.
>
> The issue that I have is it prompts another authentication on ASA.
>
> I'm same config as you listed which works fine with routers and switch.
>
> This is config that I'm using:
>
> AuthorizeGroup netadmin permit service=shell cmd\* {priv-lvl=15}
>
> AuthorizeGroup netadmin permit .*
>
> Is there anything that I need to do on ASA?
>
> Thanks,
>
> Steve.
>
> *From:*radiator-bounces at open.com.au 
> <mailto:radiator-bounces at open.com.au> 
> [mailto:radiator-bounces at open.com.au] *On Behalf Of *Alexander Hartmaier
> *Sent:* Monday, December 12, 2011 11:36 AM
> *To:* radiator at open.com.au <mailto:radiator at open.com.au>
> *Subject:* Re: [RADIATOR] TACACS+ and CISCO ASA
>
> Yes, working here fine since years, what problems are you encountering?
>
> config:
> AuthorizeGroup Admins      permit service=shell cmd\* {priv-lvl=15}
>
> Best regards, Alex
>
> Am 2011-12-12 17:34, schrieb Kim, Steve:
>
> Does anyone try CISCO ASA authentication with TACACS+?
>
> I have TACACS+ working with CISCO routers and switch, but not on ASA.
>
> If anyone has this working, can you share what you did?
>
> Thanks,
>
> Steve.
>
>
>
>
> _______________________________________________
> radiator mailing list
> radiator at open.com.au  <mailto:radiator at open.com.au>
> http://www.open.com.au/mailman/listinfo/radiator
>
>
>
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> T-Systems Austria GesmbH Rennweg 97-99, 1030 Wien
> Handelsgericht Wien, FN 79340b
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
> Notice: This e-mail contains information that is confidential and may 
> be privileged.
> If you are not the intended recipient, please notify the sender and then
> delete this e-mail immediately.
> *"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*"*
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://www.open.com.au/pipermail/radiator/attachments/20111214/6a3780dc/attachment.html

More information about the radiator mailing list