topic Things have changed. (-:ASA in Network Access Control

Bypass EXEC Mode when login in SSH for ASA 8.4(2)

ckhoodanny — Mon, 11 Mar 2019 03:07:44 GMT

Hi All,

I would like to check with you all, is there anyone able to access to the Cisco ASA 8.4(2) CLI without the needs of entering the enable password?

Currently it's configured with TACACS access for CLI and ASDM.

For ASDM we got no issue and able to access and make change directly when entering own TACACS credential.

However for the CLI, we would need to type "enable" and also the enable password once login.

Is there anyway we could skip the EXEC mode and access to the PRIVILEDGE mode directly?

Many thanks for your help!

Current Config:

aaa-server xxxx protocol tacacs+

aaa-server xxxx (management) host xxxx

Regards,

Danny

Bypass EXEC Mode when login in SSH for ASA 8.4(2)

Jatin Katyal — Mon, 25 Feb 2013 19:13:56 GMT

Unfortunately, ASA does not support AAA Exec Authorization functionality yet, so it cannot be configured with TACACS or RADIUS to jump directly to privilege exec mode. We need to go through with enable authentication

like this:

===================

ASA:Username: *****

ASA:Password: *****

ASA:>enable

Password: ****

===================

This is because the ASA does not understand the cisco-avpair ="shell:priv-lvl=15" attribute.

The ASA does not support AAA Exec Authorization functionality yet, so it cannot be configured with TACACS or RADIUS.

The workaround for this issue is to manually switch from the user mode to the enable mode.

This is only supported in IOS ( Router/Switches).

Regards,

Jatin Katyal

- Do rate helpful posts -

Bypass EXEC Mode when login in SSH for ASA 8.4(2)

ckhoodanny — Thu, 21 Mar 2013 09:15:10 GMT

Thanks a lot jkatyal!

Now I understand. Hope this help other as well...

Things have changed. (-:ASA

Peter Koltl — Sun, 31 Aug 2014 12:21:34 GMT

Things have changed. (-:

ASA now understands

cisco-av-pair = priv-lvl=15

When I log in to my ASA 9.1(5), I land directly on privilege exec mode.

I have video demo athttps:/

H G S Tharaka Kariyawasam — Wed, 03 Sep 2014 13:22:02 GMT

I have video demo at

https://supportforums.cisco.com/video/12293656/asa-aaa-configuration-acs-authentication-and-authorization

regarding this. If the video is not clear, you can also try

http://www.youtube.com/watch?v=p7HIsGUdOzo

Peter is correct! In addition

nspasov — Wed, 03 Sep 2014 15:33:21 GMT

Peter is correct! In addition, 9.2.1 added another nice little feature that can help you with your problem:

Improved one-time password authentication

Administrators who have sufficient authorization privileges may enter privileged EXEC mode by entering their authentication credentials once. The auto-enable option was added to the aaa authorization exec command.

We modified the following command: aaa authorization exec .

Thanks Neno and Peter for

Jatin Katyal — Wed, 03 Sep 2014 16:02:30 GMT

Thanks Neno and Peter for keep the thread/discussion updated.

Re: I have video demo athttps:/

prashanma — Mon, 02 Oct 2017 09:07:48 GMT

Hi Tharaka,

Thank you for video. I have a question though. I try to setup ACS in VMware, which was success. But at time to time it cannot access via web. Ping is fine from both side.

Can you help me out there.