cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
322
Views
0
Helpful
1
Replies

AAA and ASA

Hi,

  I am working on AAA for ASA . In IOS we can create AAA commands using specific group names and then apply it to aux , con , vty ( 0 - 15 ) but here in ASA I dont see putting con , ssh etc with AAA and it looks like it is applied globally simillar to the default keyword used in IOS .

EXAMPLE

Router :

aaa authorization commands 0 AAA group tacacs+ local

aaa authorization commands 15 AAA group tacacs+ local

aaa authorization exec AAA group tacacs+ local

line vty 0 4

exec-timeout 5 0

authorization commands 15 AAA

authorization exec AAA

ASA :

aaa authorization command acs LOCAL

The difference here is that in ASA it gets applied globally while my aim is not to apply this on Console and only to apply this with SSH sessions . Is there a way we can do it on per session basis on ASA ( ssh , console , telnet etc ) .

1 Reply 1

Jatin Katyal
Cisco Employee
Cisco Employee

Hi there,

That's correct! When you enable command authorization, it get applied globally and would be applicable for all sessions including console. We can't get rid of it because in ASA there is  no concept of method list like IOS.

From command refrence guide:

Be sure that your TACACS+ system is completely stable and reliable. The necessary level of reliability typically requires that you have a fully redundant TACACS+ server system and fully redundant connectivity to the adaptive security appliance. For example, in your TACACS+ server pool, include one server connected to interface 1, and another to interface 2. You can also configure local command authorization as a fallback method if the TACACS+ server is unavailable. In this case, you need to configure local users and command privilege levels.

aaa authorization command

http://www.cisco.com/en/US/docs/security/asa/asa82/command/reference/a1.html#wp1556861

Jatin Katyal


- Do rate helpful posts -

~Jatin