分析ASA的AAA设备管理行为

下载选项

  • PDF     (233.7 KB)
    在各种设备上使用 Adobe Reader 查看
  • ePub     (88.4 KB)
    在 iPhone、iPad、Android、Sony Reader 或 Windows Phone 上使用各种应用查看
  • Mobi (Kindle)     (84.7 KB)
    在 Kindle 设备上查看或在多个设备上使用 Kindle 应用查看
已更新: 2020 年 7 月 14 日
文档 ID:215792

非歧视性语言

此产品的文档集力求使用非歧视性语言。在本文档集中,非歧视性语言是指不隐含针对年龄、残障、性别、种族身份、族群身份、性取向、社会经济地位和交叉性的歧视的语言。由于产品软件的用户界面中使用的硬编码语言、基于 RFP 文档使用的语言或引用的第三方产品使用的语言,文档中可能无法确保完全使用非歧视性语言。 深入了解思科如何使用包容性语言。

关于此翻译

思科采用人工翻译与机器翻译相结合的方式将此文档翻译成不同语言,希望全球的用户都能通过各自的语言得到支持性的内容。 请注意:即使是最好的机器翻译,其准确度也不及专业翻译人员的水平。 Cisco Systems, Inc. 对于翻译的准确性不承担任何责任,并建议您总是参考英文原始文档(已提供链接)。

    简介

    本文档介绍当ASA配置为使用AAA服务器进行身份验证和授权时的设备管理行为。本文档显示思科身份服务引擎(ISE)作为AAA服务器的使用,Active Directory作为外部身份库。TACACS+是使用中的AAA协议。


    作者:Dinesh Moudgil和Poonam Garg,Cisco HTTS工程师

    先决条件

    要求

    Cisco 建议您了解以下主题:

    • ASA的CLI和ASDM的基本知识
    • ASA和AAA服务器之间的连接
    • 思科ISE上的AAA配置,用于身份验证和授权

    使用的组件

    本文档中的信息基于以下软件版本:

    • 运行9.9(2)的ASAv
    • 思科身份服务引擎2.6

    本文档中的信息都是基于特定实验室环境中的设备编写的。本文档中使用的所有设备最初均采用原始(默认)配置。如果您的网络处于活动状态,请确保您了解所有命令的潜在影响。

    背景信息


    Cisco ASA支持使用本地用户数据库、RADIUS服务器或TACACS+服务器对管理会话进行身份验证。管理员可以通过以下方式连接到Cisco ASA:

    • Telnet
    • Secure Shell (SSH)
    • 串行控制台连接
    • 思科ASA设备管理器(ASDM)

    如果通过Telnet或SSH连接,用户可以在用户出错时重试三次身份验证。第三次之后,身份验证会话和与Cisco ASA的连接将关闭。

    在启动配置之前,必须确定要使用的用户数据库(本地或外部AAA服务器)。 如果使用外部AAA服务器(如本文档所配置),请按照以下各节所述配置AAA服务器组和主机。在访问思科ASA进行管理时,可以使用aaa authentication和aaa authorization命令分别要求身份验证和授权验证。

    网络图

    配置

    这是本文档中所有示例所使用的信息。

    a)ASA配置:

    aaa-server ISE protocol tacacs+
    aaa-server ISE (internet) host 10.197.164.22
    key *****


    b)AAA配置:

    AAA服务器上的身份验证是根据身份库序列执行的,该序列包括AD和本地数据库

    第 1 种情况:通过AAA服务器配置的ASA身份验证


    在ASA上:

    aaa authentication ssh console ISE LOCAL


    在AAA服务器上:

    授权结果:

    a)外壳配置文件

        默认权限:1
        最大权限:15

    b)命令集
        全部允许

    管理员行为:

    Connection to 10.197.164.28 closed.
    DMOUDGIL-M-N1D9:~ dmoudgil$
    DMOUDGIL-M-N1D9:~ dmoudgil$
    DMOUDGIL-M-N1D9:~ dmoudgil$ ssh ASA_priv1@10.197.164.28
    ASA_priv1@10.197.164.28's password:
    User ASA_priv1 logged in to ciscoasa
    Logins over the last 9 days: 11. Last login: 12:59:51 IST May 7 2020 from 10.65.81.163
    Failed logins since the last login: 0.
    Type help or '?' for a list of available commands.
    ciscoasa> enable
    Password: 
    ciscoasa#
    ciscoasa# show curpriv
    Username : enable_15
    Current privilege level : 15
    Current Mode/s : P_PRIV


    ASA日志:

    May 07 2020 12:57:26: %ASA-6-113008: AAA transaction status ACCEPT : user = ASA_priv1
    May 07 2020 12:57:26: %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: ASA_priv1
    May 07 2020 12:57:26: %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: ASA_priv1
    May 07 2020 12:57:26: %ASA-6-605005: Login permitted from 10.65.81.163/56048 to internet:10.197.164.28/ssh for user "ASA_priv1"
    May 07 2020 12:57:30: %ASA-7-111009: User 'enable_15' executed cmd: show logging
    May 07 2020 12:57:40: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15
    May 07 2020 12:57:40: %ASA-5-111008: User 'ASA_priv1' executed the 'enable' command.



    观察结果:

    1.通过AAA服务器执行SSH会话的身份验证
    2.授权在本地完成,而与授权结果中在AAA服务器上配置的权限无关
    3.通过AAA服务器对用户进行身份验证后,当用户输入关键字“enable”(默认情况下未设置密码)或输入使能密码(如果已配置)时,使用的相应用户名为enable_15

    May 07 2020 12:57:40: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15


    4.除非您定义具有特定权限的启用密码,否则启用密码的默认权限为15。例如:

    enable password C!sco123 level 9


    5.如果您使用的是具有不同权限的enable,则ASA上出现的相应用户名是enable_x(其中x是权限)

    May 07 2020 13:20:49: %ASA-5-502103: User priv level changed: Uname: enable_8 From: 1 To: 8

    第 2 种情况:通过AAA服务器配置的ASA身份验证和执行授权

    在ASA上:

    aaa authentication ssh console ISE LOCAL
    aaa authorization exec authentication-server


    在AAA服务器上:

    授权结果:

    a)外壳配置文件

        默认权限:1
        最大权限:15

    b)命令集
        全部允许



    管理员行为:

    DMOUDGIL-M-N1D9:~ dmoudgil$ ssh ASA_priv1@10.197.164.28
    ASA_priv1@10.197.164.28's password:
    User ASA_priv1 logged in to ciscoasa
    Logins over the last 1 days: 8. Last login: 14:12:52 IST May 7 2020 from 10.65.81.163
    Failed logins since the last login: 0. 
    Type help or '?' for a list of available commands.
    ciscoasa> show curpriv
    Username : ASA_priv1
    Current privilege level : 1
    Current Mode/s : P_UNPR
    ciscoasa> enable
    Password:
    ciscoasa# show curpriv
    Username : enable_15
    Current privilege level : 15
    Current Mode/s : P_PRIV

    ASA日志:

    May 07 2020 13:59:54: %ASA-6-113004: AAA user authentication Successful : server = 10.197.164.22 : user = ASA_priv1
    May 07 2020 13:59:54: %ASA-6-302013: Built outbound TCP connection 75 for internet:10.197.164.22/49 (10.197.164.22/49) to identity:10.197.164.28/49068 (10.197.164.28/49068)
    May 07 2020 13:59:54: %ASA-6-113004: AAA user authorization Successful : server = 10.197.164.22 : user = ASA_priv1
    May 07 2020 13:59:54: %ASA-6-113008: AAA transaction status ACCEPT : user = ASA_priv1
    May 07 2020 13:59:54: %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: ASA_priv1
    May 07 2020 13:59:54: %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: ASA_priv1
    May 07 2020 13:59:54: %ASA-6-605005: Login permitted from 10.65.81.163/57671 to internet:10.197.164.28/ssh for user "ASA_priv1"
    May 07 2020 13:59:59: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15
    May 07 2020 13:59:59: %ASA-5-111008: User 'ASA_priv1' executed the 'enable' command.


    观察结果:

    1.通过AAA服务器执行身份验证和执行授权
    2.执行授权管理为身份验证配置的控制台连接(ssh、telnet和enable)的所有请求的用户权限

    注意:这不包括到ASA的串行连接

    3. AAA服务器的配置方式是提供默认权限1和授权后的最大权限15
    4.当用户通过AAA服务器上配置的TACACS+凭证登录ASA时,AAA服务器最初会为用户授予权限1
    5.一旦用户输入关键字“enable”,再次按Enter键(如果未配置启用密码)或输入启用密码(如果已配置),他们将进入特权更改为15的特权模式

    实例3:其它WRR加权修改通过AAA服务器配置的ASA身份验证、执行授权和命令授权

    在ASA上:

    aaa authentication ssh console ISE LOCAL
    aaa authorization exec authentication-server
    aaa authorization command ISE LOCAL


    在AAA服务器上:

    授权结果:

    a)外壳配置文件

        默认权限:1
        最大权限:15

    b)命令集
        全部允许

    管理员行为:

    DMOUDGIL-M-N1D9:~ dmoudgil$ ssh ASA_priv1@10.197.164.28
    ASA_priv1@10.197.164.28's password:
    User ASA_priv1 logged in to ciscoasa
    Logins over the last 1 days: 7. Last login: 17:12:23 IST May 9 2020 from 10.65.81.163
    Failed logins since the last login: 0. Last failed login: 17:12:21 IST May 9 2020 from 10.65.81.163
    Type help or '?' for a list of available commands.
    ciscoasa> show curpriv
    Username : ASA_priv1
    Current privilege level : 1
    Current Mode/s : P_UNPR
    ciscoasa> enable
    Password:
    ciscoasa# show curpriv
    Command authorization failed


    ASA日志:

    May 09 2020 17:13:05: %ASA-6-113004: AAA user authentication Successful : server = 10.197.164.22 : user = ASA_priv1
    May 09 2020 17:13:05: %ASA-6-302013: Built outbound TCP connection 170 for internet:10.197.164.22/49 (10.197.164.22/49) to identity:10.197.164.28/21275 (10.197.164.28/21275)
    May 09 2020 17:13:05: %ASA-6-302014: Teardown TCP connection 169 for internet:10.197.164.22/49 to identity:10.197.164.28/30256 duration 0:00:00 bytes 67 TCP Reset-I from internet
    May 09 2020 17:13:05: %ASA-6-113004: AAA user authorization Successful : server = 10.197.164.22 : user = ASA_priv1
    May 09 2020 17:13:05: %ASA-6-113008: AAA transaction status ACCEPT : user = ASA_priv1
    May 09 2020 17:13:05: %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: ASA_priv1
    May 09 2020 17:13:05: %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: ASA_priv1
    May 09 2020 17:13:05: %ASA-6-605005: Login permitted from 10.65.81.163/49218 to internet:10.197.164.28/ssh for user "ASA_priv1"
    May 09 2020 17:13:05: %ASA-6-302014: Teardown TCP connection 170 for internet:10.197.164.22/49 to identity:10.197.164.28/21275 duration 0:00:00 bytes 61 TCP Reset-I from internet
    May 09 2020 17:13:05: %ASA-7-609002: Teardown local-host internet:10.197.164.22 duration 0:00:00
    May 09 2020 17:13:07: %ASA-7-609001: Built local-host internet:10.197.164.22
    May 09 2020 17:13:07: %ASA-6-302013: Built outbound TCP connection 171 for internet:10.197.164.22/49 (10.197.164.22/49) to identity:10.197.164.28/53081 (10.197.164.28/53081)
    May 09 2020 17:13:07: %ASA-7-111009: User 'ASA_priv1' executed cmd: show curpriv
    May 09 2020 17:13:08: %ASA-6-302014: Teardown TCP connection 171 for internet:10.197.164.22/49 to identity:10.197.164.28/53081 duration 0:00:00 bytes 82 TCP Reset-I from internet
    May 09 2020 17:13:08: %ASA-7-609002: Teardown local-host internet:10.197.164.22 duration 0:00:00
    May 09 2020 17:13:10: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15
    May 09 2020 17:13:10: %ASA-5-111008: User 'ASA_priv1' executed the 'enable' command.
    May 09 2020 17:13:12: %ASA-7-609001: Built local-host internet:10.197.164.22
    May 09 2020 17:13:12: %ASA-6-302013: Built outbound TCP connection 172 for internet:10.197.164.22/49 (10.197.164.22/49) to identity:10.197.164.28/46803 (10.197.164.28/46803)
    May 09 2020 17:13:12: %ASA-6-113016: AAA credentials rejected : reason = Unspecified : server = 10.197.164.22 : user = ***** : user IP = 10.65.81.163
    May 09 2020 17:13:12: %ASA-6-302014: Teardown TCP connection 172 for internet:10.197.164.22/49 to identity:10.197.164.28/46803 duration 0:00:00 bytes 82 TCP Reset-I from internet
    May 09 2020 17:13:12: %ASA-7-609002: Teardown local-host internet:10.197.164.22 duration 0:00:00
    May 09 2020 17:13:20: %ASA-7-609001: Built local-host internet:10.197.164.22
    May 09 2020 17:13:20: %ASA-6-302013: Built outbound TCP connection 173 for internet:10.197.164.22/49 (10.197.164.22/49) to identity:10.197.164.28/6934 (10.197.164.28/6934)
    May 09 2020 17:13:20: %ASA-6-113016: AAA credentials rejected : reason = Unspecified : server = 10.197.164.22 : user = ***** : user IP = 10.65.81.163

    观察结果:

    1.通过AAA服务器执行身份验证和执行授权
    2.执行授权管理为身份验证配置的控制台连接(ssh、telnet和enable)的所有请求的用户权限
    3.命令授权由AAA服务器使用命令“aaa authorization command ISE LOCAL”执行

    注意:这不包括到ASA的串行连接

    4.当用户通过AAA服务器上配置的TACACS+凭证登录ASA时,AAA服务器最初会为用户授予权限1
    5.一旦用户输入关键字“enable”,再次按Enter键(如果未配置启用密码)或输入启用密码(如果已配置),他们将进入特权更改为15的特权模式
    6.此配置下命令授权失败,因为AAA服务器显示由用户名“enable_15”发出的命令,而不是真实登录的经过身份验证的用户。
    7.在现有会话上执行的任何命令也会因命令授权失败而失败
    8.要解决此问题,请在AAA服务器上或AD和ASA(用于本地回退)上创建名为“enable_15”的用户,并使用随机密码



    在AAA服务器或AD上配置用户后,会观察到以下行为:

    我。对于初始身份验证,AAA服务器验证登录用户的实际用户名
    ii。输入使能密码后,会在ASA上本地验证该密码,因为使能身份验证不指向此配置中的AAA服务器
    三、启用密码后,所有命令都使用用户名“enable_15”执行,而AAA允许这些命令,因为AAA服务器或AD上存在该用户名

    配置用户“enable_15”后,允许管理员在ASA上从特权模式转换到配置模式。


    管理员行为:

    DMOUDGIL-M-N1D9:~ dmoudgil$ ssh ASA_priv1@10.197.164.28
    ASA_priv1@10.197.164.28's password:
    User ASA_priv1 logged in to ciscoasa
    Logins over the last 1 days: 2. Last login: 16:50:42 IST May 9 2020 from 10.65.81.163
    Failed logins since the last login: 5. Last failed login: 16:53:55 IST May 9 2020 from 10.65.81.163
    Type help or '?' for a list of available commands.
    ciscoasa> show curpriv
    Username : ASA_priv1
    Current privilege level : 1
    Current Mode/s : P_UNPR
    ciscoasa> enable
    Password:
    ciscoasa# show curpriv
    Username : enable_15
    Current privilege level : 15
    Current Mode/s : P_PRIV
    ciscoasa# configure terminal

    ASA日志:

    May 09 2020 17:05:29: %ASA-6-113004: AAA user authentication Successful : server = 10.197.164.22 : user = ASA_priv1
    May 09 2020 17:05:29: %ASA-6-302013: Built outbound TCP connection 113 for internet:10.197.164.22/49 (10.197.164.22/49) to identity:10.197.164.28/31109 (10.197.164.28/31109)
    May 09 2020 17:05:29: %ASA-6-113004: AAA user authorization Successful : server = 10.197.164.22 : user = ASA_priv1
    May 09 2020 17:05:29: %ASA-6-113008: AAA transaction status ACCEPT : user = ASA_priv1
    May 09 2020 17:05:29: %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: ASA_priv1
    May 09 2020 17:05:29: %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: ASA_priv1
    May 09 2020 17:05:29: %ASA-6-302014: Teardown TCP connection 112 for internet:10.197.164.22/49 to identity:10.197.164.28/7703 duration 0:00:00 bytes 67 TCP Reset-I from internet
    May 09 2020 17:05:29: %ASA-6-605005: Login permitted from 10.65.81.163/65524 to internet:10.197.164.28/ssh for user "ASA_priv1"
    May 09 2020 17:05:29: %ASA-6-302014: Teardown TCP connection 113 for internet:10.197.164.22/49 to identity:10.197.164.28/31109 duration 0:00:00 bytes 61 TCP Reset-I from internet
    May 09 2020 17:05:29: %ASA-7-609002: Teardown local-host internet:10.197.164.22 duration 0:00:00
    May 09 2020 17:05:32: %ASA-7-609001: Built local-host internet:10.197.164.22
    May 09 2020 17:05:32: %ASA-6-302013: Built outbound TCP connection 114 for internet:10.197.164.22/49 (10.197.164.22/49) to identity:10.197.164.28/64339 (10.197.164.28/64339)
    May 09 2020 17:05:32: %ASA-7-111009: User 'ASA_priv1' executed cmd: show curpriv
    May 09 2020 17:05:32: %ASA-6-302014: Teardown TCP connection 114 for internet:10.197.164.22/49 to identity:10.197.164.28/64339 duration 0:00:00 bytes 82 TCP Reset-I from internet
    May 09 2020 17:05:32: %ASA-7-609002: Teardown local-host internet:10.197.164.22 duration 0:00:00
    May 09 2020 17:05:35: %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15
    May 09 2020 17:05:35: %ASA-5-111008: User 'ASA_priv1' executed the 'enable' command.
    May 09 2020 17:05:37: %ASA-7-609001: Built local-host internet:10.197.164.22
    May 09 2020 17:05:37: %ASA-6-302013: Built outbound TCP connection 115 for internet:10.197.164.22/49 (10.197.164.22/49) to identity:10.197.164.28/4236 (10.197.164.28/4236)
    May 09 2020 17:05:37: %ASA-7-111009: User 'enable_15' executed cmd: show curpriv
    May 09 2020 17:05:37: %ASA-6-302014: Teardown TCP connection 115 for internet:10.197.164.22/49 to identity:10.197.164.28/4236 duration 0:00:00 bytes 82 TCP Reset-I from internet
    May 09 2020 17:05:37: %ASA-7-609002: Teardown local-host internet:10.197.164.22 duration 0:00:00
    May 09 2020 17:05:44: %ASA-7-609001: Built local-host internet:10.197.164.22
    May 09 2020 17:05:44: %ASA-6-302013: Built outbound TCP connection 116 for internet:10.197.164.22/49 (10.197.164.22/49) to identity:10.197.164.28/27478 (10.197.164.28/27478)
    May 09 2020 17:05:44: %ASA-5-111007: Begin configuration: 10.65.81.163 reading from terminal
    May 09 2020 17:05:44: %ASA-5-111008: User 'enable_15' executed the 'configure terminal' command.
    May 09 2020 17:05:44: %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.65.81.163, executed 'configure terminal'

    注意:如果在ASA上配置了通过TACACS的命令授权,则当AAA服务器无法访问时,必须将“local”作为回退。
    这是因为命令授权适用于所有ASA会话(串行控制台、ssh、telnet),即使没有为串行控制台配置身份验证也是如此。在AAA服务器无法访问且用户“enable_15”不存在于本地数据库的情况下,管理员会收到以下错误:

    回退授权。用户名“enable_15”不在LOCAL数据库中
    命令授权失败

    ASA日志:


    %ASA-4-409023: Attempting AAA Fallback method LOCAL for Authentication request for user cisco : Auth-server group ISE unreachable
    %ASA-6-113012: AAA user authentication Successful : local database : user = cisco
    %ASA-4-409023: Attempting AAA Fallback method LOCAL for Authentication request for user cisco : Auth-server group ISE unreachable
    %ASA-6-113004: AAA user authorization Successful : server = LOCAL : user = cisco
    %ASA-6-113008: AAA transaction status ACCEPT : user = cisco
    %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: cisco
    %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: cisco
    %ASA-6-605005: Login permitted from 10.65.81.163/65416 to internet:10.197.164.28/ssh for user "cisco"
    %ASA-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15
    %ASA-5-111008: User 'cisco' executed the 'enable' command.
    %ASA-4-409023: Attempting AAA Fallback method LOCAL for Authorization request for user enable_15 : Auth-server group ISE unreachable
    %ASA-5-111007: Begin configuration: 10.65.81.163 reading from terminal
    %ASA-5-111008: User 'enable_15' executed the 'configure terminal' command.
    %ASA-5-111010: User 'enable_15', running 'CLI' from IP 10.65.81.163, executed 'configure terminal'
    %ASA-4-409023: Attempting AAA Fallback method LOCAL for Authorization request for user enable_15 : Auth-server group ISE unreachable

    注意:使用上述配置时,命令授权将起作用,但命令记帐仍将显示用户名“enable_15”,而不是登录用户的实际用户名。管理员很难确定在ASA上执行哪个特定命令的用户。

    要解决与“enable_15”用户有关的此记帐问题,请执行以下操作:

    1.在ASA上执行授权命令中使用关键字“auto-enable”
    2.在分配给已验证用户的TACACS外壳配置文件中,将默认权限和最大权限设置为15

    实例4:修改队列极限缓冲区分配ASA身份验证、使用“auto-enable”的执行授权和通过AAA服务器配置的命令授权

    在ASA上:

    aaa authentication ssh console ISE LOCAL
    aaa authorization exec authentication-server auto-enable
    aaa authorization command ISE LOCAL


    在AAA服务器上:

    授权结果:

    a)外壳配置文件

        默认权限:15
        最大权限:15

    b)命令集
        全部允许

    管理员行为:

    DMOUDGIL-M-N1D9:~ dmoudgil$ ssh ASA_priv1@10.197.164.28
    ASA_priv1@10.197.164.28's password:
    User ASA_priv1 logged in to ciscoasa
    Logins over the last 1 days: 8. Last login: 17:13:05 IST May 9 2020 from 10.65.81.163
    Failed logins since the last login: 0. Last failed login: 17:12:21 IST May 9 2020 from 10.65.81.163
    Type help or '?' for a list of available commands.
    ciscoasa# show curpriv
    Username : ASA_priv1
    Current privilege level : 15
    Current Mode/s : P_PRIV
    ciscoasa# configure terminal
    ciscoasa(config)#


    ASA日志:

    May 09 2020 17:40:04: %ASA-6-113004: AAA user authentication Successful : server = 10.197.164.22 : user = ASA_priv1
    May 09 2020 17:40:04: %ASA-6-302013: Built outbound TCP connection 298 for internet:10.197.164.22/49 (10.197.164.22/49) to identity:10.197.164.28/57617 (10.197.164.28/57617)
    May 09 2020 17:40:04: %ASA-6-113004: AAA user authorization Successful : server = 10.197.164.22 : user = ASA_priv1
    May 09 2020 17:40:04: %ASA-6-113008: AAA transaction status ACCEPT : user = ASA_priv1
    May 09 2020 17:40:04: %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: ASA_priv1
    May 09 2020 17:40:04: %ASA-6-611101: User authentication succeeded: IP address: 10.65.81.163, Uname: ASA_priv1
    May 09 2020 17:40:04: %ASA-6-605005: Login permitted from 10.65.81.163/49598 to internet:10.197.164.28/ssh for user "ASA_priv1"
    May 09 2020 17:40:04: %ASA-6-302014: Teardown TCP connection 297 for internet:10.197.164.22/49 to identity:10.197.164.28/6083 duration 0:00:00 bytes 67 TCP Reset-I from internet
    May 09 2020 17:40:04: %ASA-7-609001: Built local-host internet:139.59.219.101
    May 09 2020 17:40:04: %ASA-6-302015: Built outbound UDP connection 299 for internet:139.59.219.101/123 (139.59.219.101/123) to mgmt-gateway:192.168.100.4/123 (10.197.164.28/195)
    May 09 2020 17:40:04: %ASA-6-302014: Teardown TCP connection 298 for internet:10.197.164.22/49 to identity:10.197.164.28/57617 duration 0:00:00 bytes 61 TCP Reset-I from internet
    May 09 2020 17:40:04: %ASA-7-609002: Teardown local-host internet:10.197.164.22 duration 0:00:00
    May 09 2020 17:40:09: %ASA-7-609001: Built local-host internet:10.197.164.22
    May 09 2020 17:40:09: %ASA-6-302013: Built outbound TCP connection 300 for internet:10.197.164.22/49 (10.197.164.22/49) to identity:10.197.164.28/4799 (10.197.164.28/4799)
    May 09 2020 17:40:09: %ASA-7-111009: User 'ASA_priv1' executed cmd: show curpriv
    May 09 2020 17:40:09: %ASA-6-302014: Teardown TCP connection 300 for internet:10.197.164.22/49 to identity:10.197.164.28/4799 duration 0:00:00 bytes 82 TCP Reset-I from internet
    May 09 2020 17:40:09: %ASA-7-609002: Teardown local-host internet:10.197.164.22 duration 0:00:00
    May 09 2020 17:40:14: %ASA-5-111007: Begin configuration: 10.65.81.163 reading from terminal
    May 09 2020 17:40:14: %ASA-5-111008: User 'ASA_priv1' executed the 'configure terminal' command.
    May 09 2020 17:40:14: %ASA-5-111010: User 'ASA_priv1', running 'CLI' from IP 10.65.81.163, executed 'configure terminal'

    观察结果:

    1.通过AAA服务器执行身份验证和执行授权
    2.执行授权管理为身份验证配置的控制台连接(ssh、telnet和enable)的所有请求的用户权限

    注意:这不包括到ASA的串行连接

    3.命令授权由AAA服务器使用命令“aaa authorization command ISE LOCAL”执行
    4.当用户通过AAA服务器上配置的TACACS+凭证登录ASA时,用户将获得AAA服务器的权限15,从而登录到权限模式
    5.使用上述配置时,用户无需输入使能密码,用户“enable_15”也无需在ASA或AAA服务器上配置。
    6. AAA服务器现在将报告来自登录用户的实际用户名的命令授权请求

    相关信息

    以下是一些与ASA的AAA设备管理相关的文档供参考:

    https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365#toc-hId--1046199281


    https://www.cisco.com/c/en/us/support/docs/security/identity-services-engine/200207-ISE-2-0-ASA-CLI-TACACS-Authentication.pdf

    TAC Authored

    由思科工程师提供

    • Created by Dinesh Moudgil
      HTTS Engineer
    • Created by Poonam Garg
      HTTS Engineer
    • Edited by Cesar Ivan Monterrubio Ramirez
      Technical Consulting Engineer

    此文档是否有帮助?

    Feedback反馈

    联系我们

    本文档适用于以下产品