AAA command authorization ASA

gm-douglas · ‎12-20-2012

I have aaa authentication working on my ASA with no problem. I have command authorization working for my account on all my IOS devices with TACACS+ and a Cisco ACS. I can not get command authorization to work on the ASA. Every time I enter the 'aaa authorization command CSACS-TACACS+' the system will not let me do anything else and gives me a user not authroized and the ACS shows no log of this request. I then have to reboot the ASA to get back in.

Current commands

aaa authentication ssh console CSACS-TACACS+

aaa authentication http console CSACS-TACACS+

Entered commands

aaa authentication enable console CSACS-TACACS+

aaa authorization command CSACS-TACACS+

mauzamor · ‎12-20-2012

Hi Douglas,

What information do you see in the ACS server when the authorization fails in your ASA?

gm-douglas · ‎12-20-2012

I get nothing on the ACS. When I use this on a IOS device and do see the commands in the tacacs authorization display, but nothing from the ASA. I tried the debug aaa authorization and this did not display anything.

mauzamor · ‎12-20-2012

Douglas,

Try the following configuration:

aaa authentication ssh console CSACS-TACACS+

aaa authentication http console CSACS-TACACS+

aaa authentication enable console CSACS-TACACS+

With the previous settings the ASA should be authenticating your username/password and the enable password against the ACS server, if this part works fine then authorization should also be working fine.

Remember to keep another session open in privilege mode before testing "

aaa authentication enable console CSACS-TACACS+" command. In the ACS server you should be seeing at least the authentication passed report.