https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036030#M493558 <HTML><HEAD></HEAD><BODY><P>Do you know if there is a plan to support this in any later versions? In my work enviroment shared passwords are not allowed. Thanks.</P><P></P></BODY></HTML> Mon, 25 Aug 2008 14:25:13 GMT nobleton3366 2008-08-25T14:25:13Z https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036025#M493549 <P>Hi all, I am trying to get a pix 6.3 to authenticate telnet users via radius with a Microsoft IAS server. This works well, but Im trying to get it where when they log in, it just dumps them into enable mode, instead of typing in the enable AD credential again. Anyone have any insight on how to do this? Its a IAS configuration thing I know, but not sure what to do with it. Thanks in advance.</P> Fri, 21 Feb 2020 10:58:46 GMT https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036025#M493549 jjoseph01 2020-02-21T10:58:46Z https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036026#M493551 <HTML><HEAD></HEAD><BODY><P>If you mean on firewall,</P><P></P><P>Username: alfa</P><P>Password: ********</P><P></P><P>pixfirewall#</P><P></P><P>Rather then,</P><P></P><P>Username: alfa</P><P>Password: ********</P><P></P><P>pixfirewall&gt;</P><P>pixfirewall&gt;enable</P><P>Password: ********</P><P>pixfirewall#</P><P></P><P>The unfortunately, Pix firewall does not have this concept, like IOS devices have.</P><P></P><P>On IOS you can get the user log directly into enable (Privileged exec) mode by passing attribute,</P><P></P><P>cisco av-pair as shell:priv-lvl=n or on some IOS only using Service Type as Administrative will do the trick.</P><P></P><P>Where, n is the privilege level.</P><P></P><P>AND, there has to be an EXEC authorization command on the IOS device, e.g.,</P><P></P><P>aaa authorization exec <LIST-NAME> group radius....</LIST-NAME></P><P></P><P>Unfortunately, that is not the case for the Pix firewall, they have a different OS.</P><P></P><P>Regards,</P><P>Prem</P><P></P><P>Please rate if it helps!</P><P></P></BODY></HTML> Fri, 22 Aug 2008 20:34:38 GMT https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036026#M493551 Premdeep Banga 2008-08-22T20:34:38Z https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036027#M493552 <HTML><HEAD></HEAD><BODY><P>Even tough the exec authorization feature in the Cisco PIX/ASA is not 'completely' implemented, it does not mean you cannot do things like command authorization on the PIX/ASA. So let us know what exactly do you want to achieve and maybe we could help.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Sun, 24 Aug 2008 18:11:59 GMT https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036027#M493552 Farrukh Haroon 2008-08-24T18:11:59Z https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036028#M493554 <HTML><HEAD></HEAD><BODY><P>Hey, thanks. When I telnet into the device, and successfully log in, Id like it to dump me directly into enable mode. routername# instead of routername&gt; </P></BODY></HTML> Sun, 24 Aug 2008 21:42:23 GMT https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036028#M493554 jjoseph01 2008-08-24T21:42:23Z https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036029#M493556 <HTML><HEAD></HEAD><BODY><P>Unfortunately, this kind of functionality is not included in the PIX/ASA OS as of now.</P><P></P><P>Regards,</P><P>Prem</P></BODY></HTML> Mon, 25 Aug 2008 10:41:26 GMT https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036029#M493556 Premdeep Banga 2008-08-25T10:41:26Z https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036030#M493558 <HTML><HEAD></HEAD><BODY><P>Do you know if there is a plan to support this in any later versions? In my work enviroment shared passwords are not allowed. Thanks.</P><P></P></BODY></HTML> Mon, 25 Aug 2008 14:25:13 GMT https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036030#M493558 nobleton3366 2008-08-25T14:25:13Z https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036031#M493560 <HTML><HEAD></HEAD><BODY><P>You might want to contact your accounts team for the same.</P><P></P><P>If sharing of password is not allowed, then you can enable, enable password authentication on firewall, i.e.</P><P></P><P>aaa authentication enable console <AAA-TAG> LOCAL</AAA-TAG></P><P></P><P>And on the ACS server, under user's profile, make sure that enable password is selected as the user's account password against the respective database.</P><P></P><P>Regards,</P><P>Prem</P></BODY></HTML> Mon, 25 Aug 2008 14:31:33 GMT https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036031#M493560 Premdeep Banga 2008-08-25T14:31:33Z https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036032#M493562 <HTML><HEAD></HEAD><BODY><P>Thanks works great thanks. One more question...</P><P></P><P>On my IOS equipment, I am able to make it check the LOCAL db first then radius rather than radius first. Is there a way to do it this way on the ASA?</P></BODY></HTML> Tue, 26 Aug 2008 12:17:50 GMT https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036032#M493562 nobleton3366 2008-08-26T12:17:50Z https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036033#M493565 <HTML><HEAD></HEAD><BODY><P>Yes the AAA method list functionality is identical on both platforms. The IOS 'local-case' is the 'LOCAL' on ASA.</P><P></P><P>Regards</P><P></P><P>Farrukh</P></BODY></HTML> Tue, 26 Aug 2008 12:21:58 GMT https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036033#M493565 Farrukh Haroon 2008-08-26T12:21:58Z https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036034#M493571 <HTML><HEAD></HEAD><BODY><P>I think on your IOS this is how you are doing the authentication,</P><P></P><P>aaa authentication login default local group radius...</P><P></P><P>Local first and then Radius, right ?</P><P></P><P>If I understand you situation correctly, then that functionality/behavior is not how ASA/PIX firewall works.</P><P></P><P>If you specify LOCAL, then there is no other method available, i.e.,</P><P></P><P>aaa authentication telnet console LOCAL</P><P></P><P>But, you can specify the fallback as LOCAL in the event your Radius/Tacacs server is not available,</P><P>aaa authentication telnet console <SERVER-TAG> LOCAL</SERVER-TAG></P><P></P><P>HTH</P><P></P><P>Regards,</P><P>Prem</P><P></P><P>Please rate if it helps!</P></BODY></HTML> Tue, 26 Aug 2008 12:29:22 GMT https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036034#M493571 Premdeep Banga 2008-08-26T12:29:22Z https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036035#M493577 <HTML><HEAD></HEAD><BODY><P>I was afraid of that, but we can make it work. Thanks again.</P></BODY></HTML> Tue, 26 Aug 2008 13:44:58 GMT https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036035#M493577 nobleton3366 2008-08-26T13:44:58Z https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036036#M493581 <HTML><HEAD></HEAD><BODY><P>I forgot to rate this, so came back to do so. Thanks for all your help.</P></BODY></HTML> Thu, 28 Aug 2008 14:33:09 GMT https://community.cisco.com/t5/network-security/pix-radius-and-enable-mode/m-p/1036036#M493581 jjoseph01 2008-08-28T14:33:09Z