https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292199#M328630 <HTML><HEAD></HEAD><BODY><P>What will this command do?, Does it make me use my own individual enable password?</P></BODY></HTML> Fri, 23 Oct 2009 15:07:05 GMT networker99 2009-10-23T15:07:05Z https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292188#M328619 <P>Using AAA on a PIX, authentication works fine and the AAA user has full rights over PIX, but aaa authorization always fails when going into conf t</P> Sun, 10 Mar 2019 23:45:11 GMT https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292188#M328619 networker99 2019-03-10T23:45:11Z https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292189#M328620 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>If this is a ACS user, you need to add this on ACS</P><P></P><P>Under shared profile component &gt; shell command authorization set &gt; type </P><P></P><P>"configure" under unmatched commands: and type permit terminal <CR> under the permit unmatched args and make sure this has been applied on the user or group and then try again.</CR></P><P></P><P>HTH</P><P></P><P>JK</P><P></P><P>Plz rate helpful posts-</P></BODY></HTML> Fri, 23 Oct 2009 13:03:22 GMT https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292189#M328620 Jatin Katyal 2009-10-23T13:03:22Z https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292190#M328621 <HTML><HEAD></HEAD><BODY><P>Access is still denied. The restricted group works.. (unable to get into enable mode), but the full access group can get into enable mode but not conf t</P></BODY></HTML> Fri, 23 Oct 2009 14:05:35 GMT https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292190#M328621 networker99 2009-10-23T14:05:35Z https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292191#M328622 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>For the full group you just need to do this:</P><P></P><P>Under shared profile component &gt; shell command authorization set &gt; select the radio button permit.</P><P></P><P>If that doesn't works please send the screen shots of full access command set.</P><P></P><P>HTH</P><P></P><P>JK</P><P></P><P>Plz rate hopeful posts.</P></BODY></HTML> Fri, 23 Oct 2009 14:11:53 GMT https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292191#M328622 Jatin Katyal 2009-10-23T14:11:53Z https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292192#M328623 <HTML><HEAD></HEAD><BODY><P>Issues seems to be with command authorization. It would have been better if running config is included in the original post.</P><P></P><P>What message do you see on acs failed attempt? </P><P></P><P>Any ways , please apply command set (that allows all command) on user level instead of group level. </P><P></P><P>or </P><P></P><P>Check the failed attempts and see which group you are a part of, then apply command set to that group.</P><P></P><P>Good luck!</P><P></P><P>Regards,</P><P>~JG</P><P></P><P>Do rate helpful posts</P><P></P></BODY></HTML> Fri, 23 Oct 2009 14:14:26 GMT https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292192#M328623 Jagdeep Gambhir 2009-10-23T14:14:26Z https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292193#M328624 <HTML><HEAD></HEAD><BODY><P>Access is still denied. The restricted group works.. (unable to get into enable mode), but the full access group can get into enable mode but not conf t</P></BODY></HTML> Fri, 23 Oct 2009 14:16:59 GMT https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292193#M328624 networker99 2009-10-23T14:16:59Z https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292194#M328625 <HTML><HEAD></HEAD><BODY><P>Where in ACS can I see failed authorization messages?</P></BODY></HTML> Fri, 23 Oct 2009 14:36:51 GMT https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292194#M328625 networker99 2009-10-23T14:36:51Z https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292195#M328626 <HTML><HEAD></HEAD><BODY><P>Reports and activities --&gt;failed attempts</P></BODY></HTML> Fri, 23 Oct 2009 14:40:03 GMT https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292195#M328626 Jagdeep Gambhir 2009-10-23T14:40:03Z https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292196#M328627 <HTML><HEAD></HEAD><BODY><P>Where in ACS can I see failed authorization messages?</P></BODY></HTML> Fri, 23 Oct 2009 14:57:40 GMT https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292196#M328627 networker99 2009-10-23T14:57:40Z https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292197#M328628 <HTML><HEAD></HEAD><BODY><P>In the log my username shows up as "enable_15" ?? and says user unknown?</P></BODY></HTML> Fri, 23 Oct 2009 14:58:42 GMT https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292197#M328628 networker99 2009-10-23T14:58:42Z https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292198#M328629 <HTML><HEAD></HEAD><BODY><P>Hi,</P><P></P><P>This happens when we have command authorization enabled on ASA</P><P>and try to run any level 15 command on ASA.</P><P></P><P>Please check the ASA configuration and see if you are missing this command:</P><P></P><P>aaa authentication enable console <TACACS> LOCAL</TACACS></P><P></P><P>on the ACS make sure that enable level privilege is level 15</P><P></P><P>HTH</P><P></P><P>JK</P><P></P><P>Plz rate helpful posts-</P></BODY></HTML> Fri, 23 Oct 2009 15:03:30 GMT https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292198#M328629 Jatin Katyal 2009-10-23T15:03:30Z https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292199#M328630 <HTML><HEAD></HEAD><BODY><P>What will this command do?, Does it make me use my own individual enable password?</P></BODY></HTML> Fri, 23 Oct 2009 15:07:05 GMT https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292199#M328630 networker99 2009-10-23T15:07:05Z https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292200#M328631 <HTML><HEAD></HEAD><BODY><P>Same issue was reported sometime back aswell.</P><P></P><P>Make sure you have enable authentication ,</P><P></P><P>aaa authentication ssh console TACACS LOCAL</P><P>aaa authentication telnet console TACACS LOCAL</P><P>aaa authentication enable console TACACS LOCAL</P><P>aaa authorization command TACACS LOCAL</P><P></P><P>Incase it does not work pls get aaa config</P><P></P><P>Regards,</P><P>~JG</P><P></P><P>Do rate helpful posts</P><P></P></BODY></HTML> Fri, 23 Oct 2009 15:07:11 GMT https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292200#M328631 Jagdeep Gambhir 2009-10-23T15:07:11Z https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292201#M328632 <HTML><HEAD></HEAD><BODY><P>This command is needed to make command authorization work.</P><P></P><P></P><P>Yes, you can set your own enable password.</P><P></P><P></P><P>Regards,</P><P>~JG</P></BODY></HTML> Fri, 23 Oct 2009 15:10:23 GMT https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292201#M328632 Jagdeep Gambhir 2009-10-23T15:10:23Z https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292202#M328633 <HTML><HEAD></HEAD><BODY><P>yes, if you have separate enable password configured on the ACS, it will let you use that. But i would also suggest you to keep your current session open and try from a duplicate session...just a back door entry.</P><P></P><P>HTH</P><P></P><P>JK</P><P></P><P>Plz rate helpful posts-</P></BODY></HTML> Fri, 23 Oct 2009 15:38:30 GMT https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292202#M328633 Jatin Katyal 2009-10-23T15:38:30Z https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292203#M328634 <HTML><HEAD></HEAD><BODY><P>i had the same problem, i could login to the ASA using ACS and i went to enable mode using the local enable password, however, i somehow was no longer authenticated as the username i used, but my username shows enable_15, and i couldn't authorize any command, so i created a new user on the ACS (enable_15) and everything worked smoothly.</P><P>i don't think this is the solution, but it's working now. </P><P>i don't know why the username switches to enable_15, maybe because i am entering the enable secret which is local on the ASA</P></BODY></HTML> Wed, 08 Jun 2011 09:33:48 GMT https://community.cisco.com/t5/network-access-control/pix-authorization-issue/m-p/1292203#M328634 Omar Badawi 2011-06-08T09:33:48Z