We will be discussing enabling AAA configuration on Cisco ASA firewalls in this article.
Step1 – We need to define the Tacacs server on the Cisco ASA as below
aaa-server TAC protocol tacacs+ (TAC is name of TACACS server group)
aaa-server TAC (inside) host 1.1.1.1 (1.1.1.1 – Tacacs server IP)
key ************************* (You need to use key which you used to add ASA in TACACS server)
Step2 – Add below configurations in Cisco ASA now
Authentication
aaa authentication enable console TAC LOCAL
aaa authentication ssh console TAC LOCAL
aaa authentication http console TAC LOCAL
Above commands will allow (enable password/SSH login/Http login through ASDM ) login through TACACS credential databased & if TACACS is unreachable, it will allow local login)
Accounting
aaa accounting enable console TAC
aaa accouting ssh console TAC
aaa accounting command TAC (This will log all user typed commands in TACACS server)
Above mentioned command will log enable/SSH sessions as well as last command will log all user typed commands in TACACS server for audit purposes)
Authorization
aaa authorization exec authentication-server auto-enable
aaa authorization command TAC LOCAL
Above mentioned commands will only allow user to use commands authorized by TACACS server. You can define users with access to only show commands or only specific configuration commands.
Step3 – Testing the AAA configuration
ASA# test aaa-server authentication TAC host 1.1.1.1 username test password test@123
(You should see Authentical successful message if TACACS auth is working fine, if not then you need to troubleshoot the issue)
I hope this post will help you configuring AAA on Cisco ASA successfully.