topic Re: asa cmd authorization using acs in Network Access Control

asa cmd authorization using acs

diptanshusingh — Sun, 10 Mar 2019 22:07:48 GMT

Hi all, i was trying to authorize the asa with acs 3.2 on priv lvl 7 using tacacs+,but the users were geting priv-lvl 15 only..

aaa-server aaa_serv protocol tacacs+

aaa-server aaa_serv host 10.0.0.10

key cisco123

aaa authentication serial console tac_serv

aaa authentication telnet console tac_serv

aaa authentication enable console tac_serv

aaa authorization command tac_serv

i had brought some commands also in priv 7 using privilege commandm but the problem is that when i try to login i am geting priv-lvl 15 only not 7.i had set in acs also in tacacs+ seting to assign priv lvl=7 only to the users .. but dnt knw why it is nt wrking ..

Re: asa cmd authorization using acs

rochopra — Tue, 01 May 2007 21:12:25 GMT

ASA does not have any authorization exec command so Priv Level does not work with ASA.

Max privilege(enable attrib. in ACS)works with ASA.

But if you implementing command authorization with ASA no need to configure max priv levels, let them all fall on priv level 15 and control access through command authorization.

2 main commands required for command authorization are

aaa authentication enable console tac_serv (this is because we do not have authorization exec in ASA so enable authentication is required for command auth to work)

aaa authorization command tac_serv

Re: asa cmd authorization using acs

diptanshusingh — Wed, 02 May 2007 01:56:15 GMT

I agree with you but then what is the use of priviliege commands.. what will i do by bringing commands at some x priv level ..

Re: asa cmd authorization using acs

Jagdeep Gambhir — Wed, 02 May 2007 12:12:42 GMT

Hi ,

This link from TAC case collection will provide you info on ASA exec author,

http://www.ciscotaccc.com/security/showcase?case=K25224726

Thanks,

Re: asa cmd authorization using acs

diptanshusingh — Wed, 02 May 2007 12:15:24 GMT

thankx a lot