topic PIX/FWSM command authorization? in Network Security https://community.cisco.com/t5/network-security/pix-fwsm-command-authorization/m-p/330023#M550464 <P>Has anyone sucessfully implement command authorization on the PIX or FWSM? I seem to be stumbling on the enable authentication part. I can sucessfully authenticate a tacacs+ user, but when I try to authenticate the enable command, my tacacs server in debug mode returns the following:</P><P>enable query for 'admin' 24 from 10.1.2.4 rejected</P><P></P><P>Here is my tacacs and FWSM config:</P><P>user = $enable$ {</P><P> login = des xxxxx</P><P> }</P><P>user = $enab15$ {</P><P> login = des xxxxx</P><P></P><P>}</P><P></P><P>user = admin {</P><P> default service = permit</P><P> login = file /etc/passwd</P><P>}</P><P>user = backup {</P><P> login = nopassword</P><P> cmd = write { permit net</P><P> }</P><P>}</P><P>user = readonly {</P><P> login = des xxxxxx</P><P> cmd = show {</P><P> permit .*</P><P> }</P><P> cmd = quit {</P><P> permit .*</P><P> }</P><P> cmd = exit {</P><P> permit .*</P><P> }</P><P> cmd = * {</P><P> deny .*</P><P> }</P><P>}</P><P></P><P>aaa-server TACACS+ protocol tacacs+ </P><P>aaa-server TACACS+ max-failed-attempts 3 </P><P>aaa-server TACACS+ deadtime 1 </P><P>aaa-server TACACS+ (outside) host 10.2.3.5 xxxxx timeout 10</P><P>aaa-server TACACS+ (outside) host 10.1.2.3 xxxxx timeout 10</P><P></P><P>aaa authentication ssh console TACACS+ LOCAL</P><P>aaa authentication enable console TACACS+ LOCAL</P><P></P><P></P> Fri, 21 Feb 2020 08:01:05 GMT gspadden 2020-02-21T08:01:05Z PIX/FWSM command authorization? https://community.cisco.com/t5/network-security/pix-fwsm-command-authorization/m-p/330023#M550464 <P>Has anyone sucessfully implement command authorization on the PIX or FWSM? I seem to be stumbling on the enable authentication part. I can sucessfully authenticate a tacacs+ user, but when I try to authenticate the enable command, my tacacs server in debug mode returns the following:</P><P>enable query for 'admin' 24 from 10.1.2.4 rejected</P><P></P><P>Here is my tacacs and FWSM config:</P><P>user = $enable$ {</P><P> login = des xxxxx</P><P> }</P><P>user = $enab15$ {</P><P> login = des xxxxx</P><P></P><P>}</P><P></P><P>user = admin {</P><P> default service = permit</P><P> login = file /etc/passwd</P><P>}</P><P>user = backup {</P><P> login = nopassword</P><P> cmd = write { permit net</P><P> }</P><P>}</P><P>user = readonly {</P><P> login = des xxxxxx</P><P> cmd = show {</P><P> permit .*</P><P> }</P><P> cmd = quit {</P><P> permit .*</P><P> }</P><P> cmd = exit {</P><P> permit .*</P><P> }</P><P> cmd = * {</P><P> deny .*</P><P> }</P><P>}</P><P></P><P>aaa-server TACACS+ protocol tacacs+ </P><P>aaa-server TACACS+ max-failed-attempts 3 </P><P>aaa-server TACACS+ deadtime 1 </P><P>aaa-server TACACS+ (outside) host 10.2.3.5 xxxxx timeout 10</P><P>aaa-server TACACS+ (outside) host 10.1.2.3 xxxxx timeout 10</P><P></P><P>aaa authentication ssh console TACACS+ LOCAL</P><P>aaa authentication enable console TACACS+ LOCAL</P><P></P><P></P> Fri, 21 Feb 2020 08:01:05 GMT https://community.cisco.com/t5/network-security/pix-fwsm-command-authorization/m-p/330023#M550464 gspadden 2020-02-21T08:01:05Z Re: PIX/FWSM command authorization? https://community.cisco.com/t5/network-security/pix-fwsm-command-authorization/m-p/330024#M550465 <HTML><HEAD></HEAD><BODY><P>You need to login with admin capability to do this.</P></BODY></HTML> Tue, 22 Mar 2005 17:42:38 GMT https://community.cisco.com/t5/network-security/pix-fwsm-command-authorization/m-p/330024#M550465 umedryk 2005-03-22T17:42:38Z