Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1052
Views
5
Helpful
5
Replies

AAA ACS RADIUS ASA administrative access

Go to solution
Phil L
Level 1
Level 1

‎12-22-2015 01:07 PM - edited ‎03-10-2019 11:21 PM

We have an ASA running 8.2 we would like to setup AAA for ssh access using radius from an ACS 5.5.

Can get users to authenticate, but the ASA keeps logging user in at user EXEC level instead of privileged EXEC.

Setup on the ASA:

aaa-server rad-group1 protocol radius
aaa-server rad-group1 (inside_pd) host rad-server-1
  key *****
aaa-server rad-group1 (inside_pd) host rad-server-2
  key *****
aaa authentication ssh console rad-group1 LOCAL
aaa authentication telnet console rad-group1 LOCAL
aaa authentication http console rad-group1 LOCAL
aaa authorization exec authentication-server

Have tried pushing various combinations of these attributes from the ACS:

CVPN3000/ASA/PIX7.x-Priviledge-Level   value=15
RADIUS-IETF Service-Type                       value=Administrative (6)
cisco-av-pair                                               value="shell:priv-lvl=15"

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Ivan Gonzalez
Cisco Employee
Cisco Employee
In response to Phil L

‎12-23-2015 07:52 AM

Hi Phil,

You are able to manage Privilege level being assigned to a user with Tacacs, however, you are not able to go into Privilege level without going through enable authentication, unless you go to 9.1 (5) code. 

View solution in original post

0 Helpful
5 Replies 5

Go to solution
Ivan Gonzalez
Cisco Employee
Cisco Employee

‎12-22-2015 02:38 PM

Hi Phil,

This is not an available option on the ASA version you are running. The option to be placed into privilege mode is available until ASA 9.1 (5) version:

http://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/admin_management.html#pgfId-1223518

Note: Please mark it as answered if applicable

Go to solution
Phil L
Level 1
Level 1
In response to Ivan Gonzalez

‎12-23-2015 06:53 AM

ivangonz,

Is it possible to control EXEC level in ASA 8.2 using TACACS+?

Thanks,

Phil

0 Helpful

Go to solution
Ivan Gonzalez
Cisco Employee
Cisco Employee
In response to Phil L

‎12-23-2015 07:52 AM

Hi Phil,

You are able to manage Privilege level being assigned to a user with Tacacs, however, you are not able to go into Privilege level without going through enable authentication, unless you go to 9.1 (5) code. 

0 Helpful

Go to solution
johnd2310
Level 8
Level 8

‎12-22-2015 06:40 PM

Hi,

Why are you not using TACACS? TACACS is best for device management.

Thanks

John

**Please rate posts you find helpful**
0 Helpful

Go to solution
Phil L
Level 1
Level 1
In response to johnd2310

‎12-23-2015 04:53 AM

We already have RADIUS authenticating/authorizing VPN users. Figured if we could get admin AAA to work with RADIUS it would minimize changes needed.

I will give TACACS a try.

0 Helpful
Customers Also Viewed These Support Documents