topic Re: command authorization for ASA in Network Access Control

command authorization for ASA

anva12345 — Mon, 11 Mar 2019 00:40:36 GMT

Hi all

I have configured ASA firewall for command authorization with ACS.For users with privilege level 15 it is working fine.But when i login with users with privilege level 0, first when i enter the username and password ,it enters into enable mode.But after that when i put the enable password ,it is not working.password is not working.I configured to use the same PAP password option in the ACS enable section for the user.Also is it possible in ASA is it possible when user enters username and password,he could directly log into the exec mode rather than enable mode and assign privilege for the user as configured in the ACS user configuration.

Thanks in advance

Anvar

Re: command authorization for ASA

Dan-Ciprian Cicioiu — Tue, 28 Dec 2010 16:22:07 GMT

Hi ,

I think that you should add :

aaa authentication enable console

Do you want to have the enable via tacacs ?

You can create a group privilege 15 and deny unwanted commands.

Dan

Re: command authorization for ASA

anva12345 — Tue, 28 Dec 2010 16:25:58 GMT

Hi Dan

I have alredy configured enable password using tacacs+.Please find my aaa config on ASA

aaa authentication telnet console TACACS-SERVER LOCAL
aaa authentication http console TACACS-SERVER LOCAL
aaa authentication ssh console TACACS-SERVER LOCAL
aaa authentication enable console TACACS-SERVER LOCAL
aaa authentication serial console LOCAL
aaa authorization command TACACS-SERVER LOCAL
aaa accounting telnet console TACACS-SERVER
aaa accounting command TACACS-SERVER
aaa accounting ssh console TACACS-SERVER

regards

anvar

Re: command authorization for ASA

Dan-Ciprian Cicioiu — Tue, 28 Dec 2010 16:32:24 GMT

I think that the problem is that you assign the privilege level to 0.

So the user will be able to use only level 0 commands.

I think that the best way will be to set the privilege to 15 , and deny/allow commands.

Dan

Re: command authorization for ASA

anva12345 — Tue, 28 Dec 2010 16:57:38 GMT

Hi Dan

Thanks man .it works fine for ASA.but when i applied same configuration on FWSM,it works for user with read and write access.But for read only access users.command its showing command authorization failed .when i enter username and password it is going to enable mode.but when i enter enable its showing command authorization failed, not allowing me to enter exec mode.Please help to solve this.

Also is it possible to enter exec mode without enable mode directly like routers and switches

regards

Anvar

Re: command authorization for ASA

Dan-Ciprian Cicioiu — Tue, 28 Dec 2010 17:49:17 GMT

Anvar ,

"command authorization failed" tells you that the user has no right to enter that command.

Currently , as far as i know , you cannot direcly go to privilege level 15.

Dan

Re: command authorization for ASA

anva12345 — Tue, 28 Dec 2010 17:56:13 GMT

Thanks Dan

But same command and user is working fine for ASA.But for fwsm when i put "enable" to get into enable mode its showing the error.i wonder how it is working for ASA and not for FWSM

Regards

Anvar

Re: command authorization for ASA

Dan-Ciprian Cicioiu — Tue, 28 Dec 2010 18:02:25 GMT

Anvar ,

can you add enable command , on the permit list ?

Dan

Re: command authorization for ASA

anva12345 — Tue, 28 Dec 2010 18:06:25 GMT

Hi Dan

I already added the enable command for the read-only command authorization set.Please check the attached file.

Regards

Anvar

Re: command authorization for ASA

Dan-Ciprian Cicioiu — Tue, 28 Dec 2010 18:38:00 GMT

Can you try a

debug aaa authorization

Dan

Re: command authorization for ASA

anva12345 — Tue, 28 Dec 2010 18:47:42 GMT

Dan

Thanks very much Dan.Actually aaa requests were going to ACS2 .and I configured authorization sets on ACS1.After replication its workink fine.Thanks very much for your support

Regards

Anvar