Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
963
Views
0
Helpful
4
Replies

AAA Command authorization on ASA

Chewbakka1
Level 1
Level 1

‎01-25-2018 02:29 PM - edited ‎02-21-2020 10:44 AM

Hi,

 

I am trying to get AAA command authorization to work on an Asa running 9.6. without any luck..

Authentication seems to be working fine, but for some reason the Asa rejects all commands.

My config looks like this:

group = read-only {
        service = exec {
                priv-lvl = 15
        }
        cmd = show {
                permit .*
        }
}

user = bob {
                login = des $1$VF$kBvTjygux4xdkHjGUSSwd1
                service = shell { priv-lvl=5 }
                member = read-only
        }

The ASA has the following configuration:

aaa-server TEST (outside) host x.y.z.w
 key *****
aaa authorization command TEST

The traffic is reaching the server just fine (as authentication towards the same server works), but for some reason all commands are rejected.

Any ideas?

Labels:
0 Helpful
4 Replies 4

marce1000
Hall of Fame
Hall of Fame

‎01-26-2018 12:11 AM

 

 - Which error is produced , then, on a rejected command ?

M.



-- Each morning when I wake up and look into the mirror I always say ' Why am I so brilliant ? '
    When the mirror will then always repond to me with ' The only thing that exceeds your brilliance is your beauty! '
0 Helpful

peppe-bahnhof
Level 1
Level 1
In response to marce1000

‎01-26-2018 05:28 AM - edited ‎01-26-2018 07:29 AM

 
0 Helpful

Chewbakka1
Level 1
Level 1
In response to marce1000

‎01-26-2018 07:31 AM

I omitted the group membership for user bob.

user = bob {
                default service = deny
                name = "bob"
                login = des $1$VF$kBGTjygux4xckHjGUSSwd1
                service = exec { priv-lvl=15 }
                cmd = show { permit "run|arp|config" }
                #member = read-only
        }


The logs outputs the following:

Fri Jan 26 14:26:34 2018 [32068]: Start authorization request
Fri Jan 26 14:26:34 2018 [32068]: do_author: user='enable_15'
Fri Jan 26 14:26:34 2018 [32068]: user 'enable_15' found
Fri Jan 26 14:26:34 2018 [32068]: authorize_cmd: user=enable_15, cmd=show
Fri Jan 26 14:26:34 2018 [32068]: cmd show does not exist, denied by default
Fri Jan 26 14:26:34 2018 [32068]: authorization query for 'enable_15' 22 from x.y.z.w rejected
0 Helpful

Chewbakka1
Level 1
Level 1
In response to Chewbakka1

‎01-30-2018 12:02 PM

A test with the same server configuration against an IOS switch was made, without any problems.

 

 

0 Helpful
Customers Also Viewed These Support Documents