We help IT Professionals succeed at work.

Direct AAA authentication enables lvl15 for ASDM

Hi All,
I hope someone can help e with my isuue/bug I am facing with my ASA.
In our company we use Cisco ASA5510 for separation of process systems.
Box is manageable with ssh or ASDM. For administrators is used authentication with TACACS and with one local account when tacacs server is unreachable.
For authenticated user access through the box is used MS IAS radius server that provides d'ACL.
I am trying to run  Authentication directly with the appliance as described here:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/fwaaa.html#wp1063502

The process should be as following:
1) User authenticates on page http://interface_ip[:port]/netaccess/connstatus.html
2) His credentials are sent to MS IAS
3) His access is rejected or granted (and used d'ACL)

That works pretty nice.

The problem is that user can also authenticate as ASA administrator with lvl15 which is really not my intention.

The user is even able to get ASDM lvl15 without previous authentication on http://interface_ip[:port]/netaccess/connstatus.html.

Radius and tacacs servers are different, shrared keys are different, administrator access is allowed only with tacacs  authentication (aaa authentication http console TACACS LOCAL)

If I enable only local authentication for ASDM, then it work correctly but our security stanadard is tacacs.

Any idea?

Here are the key part (shortened) of running config:

CANfw5081SECH001# sh run
: Saved
:
ASA Version 8.0(3)
!
hostname CANfw5081SECH001
domain-name xxxxxxxxxx
enable password xxxxxxxxxxxxxx encrypted
names
dns-guard
!
interface Ethernet0/0
 nameif process
 security-level 100
 ip address 192.168.0.254 255.255.255.0
!
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address 10.160.20.5 255.255.255.0
!
passwd xxxxxxxxxxxx encrypted

boot system disk0:/asa803-k8.bin
boot system disk0:/asa708-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name grouphc.net
same-security-traffic permit inter-interface
object-group network Internal
 network-object 10.0.0.0 255.0.0.0
object-group network Process_Network_NAT
 network-object 10.220.20.0 255.255.255.0


access-list inside_authentication extended deny icmp object-group Internal object-group Process_Network_NAT
access-list inside_authentication extended permit tcp object-group Internal host 10.160.20.5 eq 1000
access-list inside_authentication extended permit ip object-group Internal object-group Process_Network_NAT


pager lines 24
logging enable
logging asdm-buffer-size 512
logging asdm informational
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
nat-control
static (process,inside) 10.220.20.0 192.168.0.0 netmask 255.255.255.0
access-group process_access_in in interface process

access-group inside_access_in in interface inside per-user-override

route inside 0.0.0.0 0.0.0.0 10.160.20.1 1
timeout xlate 9:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 9:00:00 absolute uauth 1:00:00 inactivity
dynamic-access-policy-record DfltAccessPolicy


aaa-server TACACS protocol tacacs+
aaa-server TACACS host 10.201.64.49
 key aaaaaa
aaa-server NAMIASRADIUS_1 protocol radius
aaa-server NAMIASRADIUS_1 host 10.201.99.242
 key bbbbbbb

aaa authentication http console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL

aaa authentication match inside_authentication inside NAMIASRADIUS_1
aaa local authentication attempts max-fail 5
aaa authentication listener http inside port 1000


http server enable
http 192.168.1.0 255.255.255.0 management
http 10.0.0.0 255.0.0.0 inside



ssh 10.0.0.0 255.0.0.0 inside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside

ntp server xxxxxx source inside
username xxxxxx password xxxxxxx encrypted privilege 15
!
: end
Comment
Watch Question