AAA Authorization on PIX

Collin Clark · ‎10-16-2007

I have a PIX running 6.3(5) and ACS 3.3 and I'm trying to configure AAA Authorization on the PIX. I followed the docs on Cisco, however I can't get anything to work. AAA authentication is already working so I know that end is OK. What I want ot do is allow a certain ACS group to be able to login to the firewall (level 1 only) and have the ability to do a show run. Do I need to change the privilege of show run to level 1?

Here are the docs I've been following:

http://cisco.com/en/US/partner/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#asso1

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a00800949d6.shtml

Jagdeep Gambhir · ‎10-16-2007

Trick here is to give all user priv 15 and then set command authorization set as per your need. Giving user priv 15 does not mean that user will able to execute all commands.

Doc you are referring is right. Pls check the attachment

Regards,

~JG

Collin Clark · ‎10-16-2007

JG-

Thanks for the screenshots! I set the users to level 15 but I get the same results. I have a ShowRun group that allows the following; show permit run, exit, and quit, and Denying not matching. I have a second group FullControl that permits any unmatched. Assigned level 15 to both groups and set each group to the appropriate shell command group. The weird thing is with my test login (in the ShowRun group) I can do show ?, but thats it. If I login with my ID (FullControl) I can only do the exact same thing, show ?. I must be missing something (easy I'm sure).

Jagdeep Gambhir · ‎10-16-2007

Are you using external database ? Make sure that the user is mapped to correct group. YOu can check it from passed or failed attempts. Check

It should map user(limited access)with showrun group.

Regards,

~JG