restricting access to Cisco ASA console
I am in need to restrict access to my Cisco ASA firewall console port. Currently there is no need to specify password when accessing it (required only when changing privilege level to 15). I would like to configure it so that when someone tries to access the console port, he will need to authenticate via TACACs (and if TACACs server cannot be reached, specify the local enable password).
On my routers I have it configured as follows:
aaa authentication login default group tacacs+ local
aaa authentication login console_access enable
aaa authentication enable default group tacacs+ enable
tacacs-server host 192.168.30.254
tacacs-server key 7 <REMOVED>
line con 0
exec-timeout 15 0
login authentication console_access
On my ASA I have tried this:
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (management) host 192.168.30.254
aaa authentication ssh console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
Unfortunately, I am not being prompted for password when accessing the firewall via the console port (it works fine for the SSH sessions). Is it because I am missing the below line?
aaa authentication serial console TACACS+ LOCAL
Also, I do not understand what is the purpose of having the "console" keyword in lines containing telnet, ssh and enable. Could you please clarify this for me?
- Prev by Date: Re: BGP Partial Routes Recommendation
- Next by Date: nok E71 with SIP on CME ?
- Previous by thread: Re: BGP Partial Routes Recommendation
- Next by thread: Re: restricting access to Cisco ASA console