Showing results for 
Search instead for 
Did you mean: 

ASA Radius Exec Authorization Not Working


I have an ASA 5515 running 9.8(3)21. I'm using a Win2019 NPAS server for RADIUS. The setup is working fine for authentication for VPN, HTTPS, and SSH. My NPAS is configured on the ASA as:

aaa-server SB_MGMT_NPAS protocol radius
aaa-server SB_MGMT_NPAS (inside) host x.x.x.x
key 8 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
no mschapv2-capable


These are the AAA commands that make that work:

aaa authentication enable console SB_MGMT_NPAS LOCAL
aaa authentication http console SB_MGMT_NPAS LOCAL
aaa authentication ssh console SB_MGMT_NPAS LOCAL
aaa authorization command LOCAL
aaa authentication login-history


The problem I'm having is that I can't find a "aaa authorization" command syntax that will allow me to control the privilege level of SSH users. I have two levels of users setup in NPAS RADIUS based on group membership. Admin users are set for level 15 and auditors for level 3.  Using debug on the ASA I can clearly see that RADIUS is communicating the privilege attribute during the authentication process:

Got AV-Pair with value shell:priv-lvl=15

Got AV-Pair with value shell:priv-lvl=3 

However, when I apply "aaa authorization exec authentication-server auto-enable" or I enable authorization for exec shell access in ASDM it will not allow be to enable at all. What is the command syntax to make the ASA pay attention to the privilege level attribute? Thank you.

This widget could not be displayed.