restricting access to Cisco ASA console

Hi All,

I am in need to restrict access to my Cisco ASA firewall console port. Currently there is no need to specify password when accessing it (required only when changing privilege level to 15). I would like to configure it so that when someone tries to access the console port, he will need to authenticate via TACACs (and if TACACs server cannot be reached, specify the local enable password).

On my routers I have it configured as follows:

aaa authentication login default group tacacs+ local aaa authentication login console_access enable aaa authentication enable default group tacacs+ enable

tacacs-server host 192.168.30.254 tacacs-server key 7

line con 0 exec-timeout 15 0 logging synchronous login authentication console_access

On my ASA I have tried this: aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ (management) host 192.168.30.254 key aaa authentication ssh console TACACS+ LOCAL aaa authentication enable console TACACS+ LOCAL

Unfortunately, I am not being prompted for password when accessing the firewall via the console port (it works fine for the SSH sessions). Is it because I am missing the below line?

aaa authentication serial console TACACS+ LOCAL

Also, I do not understand what is the purpose of having the "console" keyword in lines containing telnet, ssh and enable. Could you please clarify this for me?

Thank you.

Regards, AP

Reply to
aprzestroga
Loading thread data ...

try this:

aaa new-model aaa authentication login default group tacacs+ local aaa authentication enable default group tacacs+ local aaa authorization console aaa authorization exec default group radius if-authenticated aaa accounting suppress null-username

tacacs-server host 192.168.30.254 tacacs-server key 7

line con 0 exec-timeout 20 0 (no extra commands here as you just set tacas as the default)

Flamer

Reply to
die.spam

Flamer,

I think you misunderstood me. I do not have problems setting this up on Cisco switches and routers, but Cisco ASA. I do not think that there is a "line console 0" equivalent on Cisco ASA. Am I right?

Thanks, AP

Reply to
Adam Przestroga

snipped-for-privacy@op.pl said the following on 05/16/2009 12:40 AM:

As far as I remember, the only way to limit console access is :

1- Limit the logging level to critical 2- Set a secret password

the keyword console is a keyword to describe to which device the authentication is valid (it could be network for vpn group authentication, for example)

aaa is valid on an ASA

formatting link

Hope this helps

Daniel

Reply to
Daniel-G

formatting link
Daniel,

Thank you for taking time and responding to my post. I am not sure I understand why logging needs to be set to critical (also what logging are you referring to - console, monitor, syslog or buffer)? I have already set the secret password.

Thanks, AP

Reply to
Adam Przestroga

formatting link
>

I was talking about logging level to console actually you don't really need to tune it, but the console displays all message at the level it's configured for without having to logging. Messages displayed can reveal your internal structure : %PIX% .... deny tcp 1.1.1.1(7130) to 3.3.3.3(8080) It's just a practice I find good That's all

Daniel

Reply to
Daniel-G

Cabling-Design.com Forums website is not affiliated with any of the manufacturers or service providers discussed here. All logos and trade names are the property of their respective owners.