cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

2796
Views
0
Helpful
3
Replies
gm-douglas
Beginner

AAA command authorization ASA

I have aaa authentication working on my ASA with no problem. I have command authorization working for my account on all my IOS devices with TACACS+ and a Cisco ACS. I can not get command authorization to work on the ASA. Every time I enter the 'aaa authorization command CSACS-TACACS+' the system will not let me do anything else and gives me a user not authroized and the ACS shows no log of this request. I then have to reboot the ASA to get back in.

Current commands

aaa authentication ssh console CSACS-TACACS+

aaa authentication http console CSACS-TACACS+

Entered commands

aaa authentication enable console CSACS-TACACS+

aaa authorization command CSACS-TACACS+

3 REPLIES 3
mauzamor
Beginner

Hi Douglas,

What information do you see in the ACS server when the authorization fails in your ASA?

I get nothing on the ACS. When I use this on a IOS device and do see the commands in the tacacs authorization display, but nothing from the ASA. I tried the debug aaa authorization and this did not display anything.

Douglas,

Try the following configuration:

aaa authentication ssh console CSACS-TACACS+

aaa authentication http console CSACS-TACACS+

aaa authentication enable console CSACS-TACACS+

With the previous settings the ASA should be authenticating your username/password and the enable password against the ACS server, if this part works fine then authorization should also be working fine.

Remember to keep another session open in privilege mode before testing "

aaa authentication enable console CSACS-TACACS+" command. In the ACS server you should be seeing at least the authentication passed report.

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: pxGrid (37%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel