We help IT Professionals succeed at work.
Get Started

Direct AAA authentication enables lvl15 for ASDM

Last Modified: 2013-11-16
Hi All,
I hope someone can help e with my isuue/bug I am facing with my ASA.
In our company we use Cisco ASA5510 for separation of process systems.
Box is manageable with ssh or ASDM. For administrators is used authentication with TACACS and with one local account when tacacs server is unreachable.
For authenticated user access through the box is used MS IAS radius server that provides d'ACL.
I am trying to run  Authentication directly with the appliance as described here:

The process should be as following:
1) User authenticates on page http://interface_ip[:port]/netaccess/connstatus.html
2) His credentials are sent to MS IAS
3) His access is rejected or granted (and used d'ACL)

That works pretty nice.

The problem is that user can also authenticate as ASA administrator with lvl15 which is really not my intention.

The user is even able to get ASDM lvl15 without previous authentication on http://interface_ip[:port]/netaccess/connstatus.html.

Radius and tacacs servers are different, shrared keys are different, administrator access is allowed only with tacacs  authentication (aaa authentication http console TACACS LOCAL)

If I enable only local authentication for ASDM, then it work correctly but our security stanadard is tacacs.

Any idea?

Here are the key part (shortened) of running config:

CANfw5081SECH001# sh run
: Saved
ASA Version 8.0(3)
hostname CANfw5081SECH001
domain-name xxxxxxxxxx
enable password xxxxxxxxxxxxxx encrypted
interface Ethernet0/0
 nameif process
 security-level 100
 ip address
interface Ethernet0/1
 nameif inside
 security-level 100
 ip address
passwd xxxxxxxxxxxx encrypted

boot system disk0:/asa803-k8.bin
boot system disk0:/asa708-k8.bin
ftp mode passive
clock timezone PST -8
clock summer-time PDT recurring
dns server-group DefaultDNS
 domain-name grouphc.net
same-security-traffic permit inter-interface
object-group network Internal
object-group network Process_Network_NAT

access-list inside_authentication extended deny icmp object-group Internal object-group Process_Network_NAT
access-list inside_authentication extended permit tcp object-group Internal host eq 1000
access-list inside_authentication extended permit ip object-group Internal object-group Process_Network_NAT

pager lines 24
logging enable
logging asdm-buffer-size 512
logging asdm informational
asdm image disk0:/asdm-603.bin
no asdm history enable
arp timeout 14400
static (process,inside) netmask
access-group process_access_in in interface process

access-group inside_access_in in interface inside per-user-override

route inside 1
timeout xlate 9:00:00
timeout conn 1:00:00 half-closed 0:10:00 udp 0:02:00 icmp 0:00:02
timeout sunrpc 0:10:00 h323 0:05:00 h225 1:00:00 mgcp 0:05:00 mgcp-pat 0:05:00
timeout sip 0:30:00 sip_media 0:02:00 sip-invite 0:03:00 sip-disconnect 0:02:00
timeout uauth 9:00:00 absolute uauth 1:00:00 inactivity
dynamic-access-policy-record DfltAccessPolicy

aaa-server TACACS protocol tacacs+
aaa-server TACACS host
 key aaaaaa
aaa-server NAMIASRADIUS_1 protocol radius
aaa-server NAMIASRADIUS_1 host
 key bbbbbbb

aaa authentication http console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL

aaa authentication match inside_authentication inside NAMIASRADIUS_1
aaa local authentication attempts max-fail 5
aaa authentication listener http inside port 1000

http server enable
http management
http inside

ssh inside
ssh timeout 5
ssh version 2
console timeout 0
management-access inside

ntp server xxxxxx source inside
username xxxxxx password xxxxxxx encrypted privilege 15
: end
Watch Question
This problem has been solved!
Unlock 2 Answers and 2 Comments.
See Answers
Why Experts Exchange?

Experts Exchange always has the answer, or at the least points me in the correct direction! It is like having another employee that is extremely experienced.

Jim Murphy
Programmer at Smart IT Solutions

When asked, what has been your best career decision?

Deciding to stick with EE.

Mohamed Asif
Technical Department Head

Being involved with EE helped me to grow personally and professionally.

Carl Webster
CTP, Sr Infrastructure Consultant
Ask ANY Question

Connect with Certified Experts to gain insight and support on specific technology challenges including:

  • Troubleshooting
  • Research
  • Professional Opinions
Did You Know?

We've partnered with two important charities to provide clean water and computer science education to those who need it most. READ MORE