topic AAA command authorization ASA in Network Access Control

AAA command authorization ASA

gm-douglas — Mon, 11 Mar 2019 02:54:33 GMT

I have aaa authentication working on my ASA with no problem. I have command authorization working for my account on all my IOS devices with TACACS+ and a Cisco ACS. I can not get command authorization to work on the ASA. Every time I enter the 'aaa authorization command CSACS-TACACS+' the system will not let me do anything else and gives me a user not authroized and the ACS shows no log of this request. I then have to reboot the ASA to get back in.

Current commands

aaa authentication ssh console CSACS-TACACS+

aaa authentication http console CSACS-TACACS+

Entered commands

aaa authentication enable console CSACS-TACACS+

aaa authorization command CSACS-TACACS+

AAA command authorization ASA

mauzamor — Thu, 20 Dec 2012 16:43:38 GMT

Hi Douglas,

What information do you see in the ACS server when the authorization fails in your ASA?

AAA command authorization ASA

gm-douglas — Thu, 20 Dec 2012 16:58:14 GMT

I get nothing on the ACS. When I use this on a IOS device and do see the commands in the tacacs authorization display, but nothing from the ASA. I tried the debug aaa authorization and this did not display anything.

AAA command authorization ASA

mauzamor — Thu, 20 Dec 2012 17:03:27 GMT

Douglas,

Try the following configuration:

aaa authentication ssh console CSACS-TACACS+

aaa authentication http console CSACS-TACACS+

aaa authentication enable console CSACS-TACACS+

With the previous settings the ASA should be authenticating your username/password and the enable password against the ACS server, if this part works fine then authorization should also be working fine.

Remember to keep another session open in privilege mode before testing "

aaa authentication enable console CSACS-TACACS+" command. In the ACS server you should be seeing at least the authentication passed report.