topic Re: Login to ASA with Enable Mode in Network Access Control

Login to ASA with Enable Mode

Scott Pickles — Mon, 11 Mar 2019 01:47:04 GMT

I've seen some posts on the forum regarding the use of AAA to login to an ASA in enable mode. I'm using a Server 2008 R2 NPS server, and I can successfully login. However, I'm using the NPS server to send back the Cisco AV-pair for 'priv-lvl=15'. I am expecting to login to the ASA and be in enable mode. I have seen other posts reference TACACS+, but we don't have ACS. Is TACACS+ a requirement for this? I remember reading in some other forums that it's a security feature on the ASA to not allow logging in directly to the enable mode.

Regards,
Scott

Login to ASA with Enable Mode

Richard Burts — Wed, 01 Feb 2012 20:59:32 GMT

Scott

I believe that you are correct that it is a security feature of the ASA that it will not allow you to login to the ASA and go directly to enable mode. I believe that this is the behavior whether the authentication servers uses TACACS or any other authentication protocol.

HTH

Rick

Login to ASA with Enable Mode

camejia — Wed, 01 Feb 2012 22:05:55 GMT

Hello Scott,

Confirming Richard statement from AAA perspective. The ASA will not allow you to get directly into Enable Mode when returning Privilege Level 15. The feature is only implemented on IOS devices. The ASA is considered a security device and it will not put you directly on Enable Mode as IOS does.

Regards.

Hi,Actually it is possible -

raviluchmun — Mon, 15 Jun 2015 20:34:25 GMT

Hi,

Actually it is possible - i can't be sure if it is the new version of ASA that allows it.

I am running asa916-k8.bin on 5510

The command is aaa authorization exec LOCAL auto-enable

When I ssh to my ASA, I enter my username and password and I am at priv exec mode straight away.

Try it and let me know.

Ravi L

Ravi L That is an interesting

Richard Burts — Tue, 16 Jun 2015 13:09:14 GMT

Ravi L

That is an interesting development. Thanks for letting us know that the behavior of ASA has changed.

HTH

Rick

That is correct, For all the

kskhanna — Mon, 17 Aug 2015 19:04:08 GMT

That is correct, For all the years ASA dev team would not entertain to add this feature but finally they made the change beginning code 9.2.1 where they introduced the "Auto-enable" command

aaa authorization exec { authentication-server | LOCAL } [ auto-enable ]

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a1.html

auto-enable

Enables administrators who have sufficient authorization privileges to enter privileged EXEC mode by entering their authentication credentials once.

This works for local accounts

gbanta001 — Wed, 09 Aug 2017 19:40:52 GMT

This works for local accounts only on the ASA, you cannot getting into enable mode directly via SSH using Radius or LDAP. This is because this is a security device.

Works fine with ssh with

kskhanna — Thu, 10 Aug 2017 02:56:02 GMT

Works fine with ssh with Tacacs authentication!

doesn't seem to work with pubkey auth

Luca Andreucci — Wed, 11 Oct 2017 13:38:37 GMT

aaa authorization exec { authentication-server | LOCAL } [ auto-enable ]

too bad this does not seem to work with pubkey authentication

(trying on Version 9.1(6) )

Re: Login to ASA with Enable Mode

ashmatash1 — Thu, 08 Feb 2018 21:18:42 GMT

Pretty sure the answer saying its not possible is wrong

Re: Login to ASA with Enable Mode

Majed Zouhairy — Wed, 05 Dec 2018 07:44:03 GMT

no dear you are wrong, just tried it and it is awesome, before that from console it would log into enable mode, but not from ssh, and the enable password would always be wrong for some reason. Until ACS is connected this is great!

Re: This works for local accounts

j-sutterfield — Wed, 13 Feb 2019 16:57:27 GMT

The command you need for ssh against tacacs to work is:
aaa authorization exec authentication-server auto-enable

Re: Login to ASA with Enable Mode

alextomko — Wed, 12 Jun 2019 19:53:27 GMT

Re: Login to ASA with Enable Mode

ccie4297 — Wed, 07 Dec 2022 14:22:12 GMT

This works with NPS as the RADIUS server to my ASA5545-X as well... just need to do a little policy config on the NPS side.

aaa authentication enable console NPS_RADIUS LOCAL
aaa authentication ssh console NPS_RADIUS LOCAL
aaa authorization exec authentication-server auto-enable

sh ver

Cisco Adaptive Security Appliance Software Version 9.14(4)17

Re: Hi,Actually it is possible -

chambiyal — Fri, 20 Oct 2023 13:59:15 GMT

Thank you Ravi, it works!!