https://community.cisco.com/t5/network-access-control/aaa-command-authorization-on-asa/m-p/3319564#M550487 Fri, 26 Jan 2018 15:29:37 GMT peppe-bahnhof 2018-01-26T15:29:37Z https://community.cisco.com/t5/network-access-control/aaa-command-authorization-on-asa/m-p/3319053#M550485 <P>Hi,</P> <P>&nbsp;</P> <P>I am trying to get AAA command authorization to work on an Asa running 9.6. without any luck..</P> <P>Authentication seems to be working fine, but for some reason the Asa rejects all commands.</P> <P>My config looks like this:</P> <PRE>group = read-only { service = exec { priv-lvl = 15 } cmd = show { permit .* } } user = bob { login = des $1$VF$kBvTjygux4xdkHjGUSSwd1 service = shell { priv-lvl=5 } member = read-only } </PRE> <P>The ASA has the following configuration:</P> <PRE>aaa-server TEST (outside) host x.y.z.w key ***** aaa authorization command TEST</PRE> <P>The traffic is reaching the server just fine (as authentication towards the same server works), but for some reason all commands are rejected.</P> <P>Any ideas?</P> Fri, 21 Feb 2020 18:44:14 GMT https://community.cisco.com/t5/network-access-control/aaa-command-authorization-on-asa/m-p/3319053#M550485 Chewbakka1 2020-02-21T18:44:14Z https://community.cisco.com/t5/network-access-control/aaa-command-authorization-on-asa/m-p/3319361#M550486 <P>&nbsp;</P> <P>&nbsp;- Which error is produced , then, on a rejected command ?</P> <P>M.</P> Fri, 26 Jan 2018 08:11:54 GMT https://community.cisco.com/t5/network-access-control/aaa-command-authorization-on-asa/m-p/3319361#M550486 Mark Elsen 2018-01-26T08:11:54Z https://community.cisco.com/t5/network-access-control/aaa-command-authorization-on-asa/m-p/3319564#M550487 Fri, 26 Jan 2018 15:29:37 GMT https://community.cisco.com/t5/network-access-control/aaa-command-authorization-on-asa/m-p/3319564#M550487 peppe-bahnhof 2018-01-26T15:29:37Z https://community.cisco.com/t5/network-access-control/aaa-command-authorization-on-asa/m-p/3319660#M550488 <P>I omitted the group membership for user bob.<BR /><BR /></P> <PRE>user = bob { default service = deny name = "bob" login = des $1$VF$kBGTjygux4xckHjGUSSwd1 service = exec { priv-lvl=15 } cmd = show { permit "run|arp|config" } #member = read-only }</PRE> <P><BR />The logs outputs the following:</P> <PRE>Fri Jan 26 14:26:34 2018 [32068]: Start authorization request Fri Jan 26 14:26:34 2018 [32068]: do_author: user='enable_15' Fri Jan 26 14:26:34 2018 [32068]: user 'enable_15' found Fri Jan 26 14:26:34 2018 [32068]: authorize_cmd: user=enable_15, cmd=show Fri Jan 26 14:26:34 2018 [32068]: cmd show does not exist, denied by default Fri Jan 26 14:26:34 2018 [32068]: authorization query for 'enable_15' 22 from x.y.z.w rejected</PRE> Fri, 26 Jan 2018 15:31:20 GMT https://community.cisco.com/t5/network-access-control/aaa-command-authorization-on-asa/m-p/3319660#M550488 Chewbakka1 2018-01-26T15:31:20Z https://community.cisco.com/t5/network-access-control/aaa-command-authorization-on-asa/m-p/3321912#M550489 <P>A test with the same server configuration against an IOS switch was made, without any problems.</P> <P>&nbsp;</P> <P>&nbsp;</P> Tue, 30 Jan 2018 20:02:52 GMT https://community.cisco.com/t5/network-access-control/aaa-command-authorization-on-asa/m-p/3321912#M550489 Chewbakka1 2018-01-30T20:02:52Z