I am in need to restrict access to my Cisco ASA firewall console port. Currently there is no need to specify password when accessing it (required only when changing privilege level to 15). I would like to configure it so that when someone tries to access the console port, he will need to authenticate via TACACs (and if TACACs server cannot be reached, specify the local enable password).
On my routers I have it configured as follows:
aaa authentication login default group tacacs+ local aaa authentication login console_access enable aaa authentication enable default group tacacs+ enable
tacacs-server host 192.168.30.254 tacacs-server key 7
line con 0 exec-timeout 15 0 logging synchronous login authentication console_access
On my ASA I have tried this: aaa-server TACACS+ protocol tacacs+ aaa-server TACACS+ (management) host 192.168.30.254 key aaa authentication ssh console TACACS+ LOCAL aaa authentication enable console TACACS+ LOCAL
Unfortunately, I am not being prompted for password when accessing the firewall via the console port (it works fine for the SSH sessions). Is it because I am missing the below line?
aaa authentication serial console TACACS+ LOCAL
Also, I do not understand what is the purpose of having the "console" keyword in lines containing telnet, ssh and enable. Could you please clarify this for me?