04-30-2011 03:05 PM - edited 03-10-2019 06:02 PM
I can't seem to enable in ASA with a non-15 privilege level user configured in ACS 4.2 (tacacs).
When I enable in IOS device, it enables and "show privilege" shows level 10 as expected. ACS should be configured correctly as it works fine with IOS. User is not set with explicit settings. Group is set with "max enable level" 15 and "shell exec priv level" 15. The enable password is set to the internal ACS PAP password. Works fine in IOS.
When I enable in ASA, it fails to enable, and ACS log says "Tacacs+ enable privilege too low". I suspect that ASA tries to enable into level 15 explicitely. If I try to issue "enable 10" command in ASA it says:
Enabling to privilege levels is not allowed when configured for
AAA authentication. Use 'enable' only.
My config (only showing relevant commands):
aaa authentication telnet console mmsacs01 LOCAL
aaa authentication enable console mmsacs01 LOCAL
aaa authorization command mmsacs01 LOCAL
aaa authorization exec authentication-server
Thanks!
Solved! Go to Solution.
05-02-2011 05:05 AM
Set the Enable Options in the grp to
Max Priv for any AAA Client
to
Level 15
this will allow enable and also limit your shell options to 10 and the command set you created
05-02-2011 05:05 AM
Set the Enable Options in the grp to
Max Priv for any AAA Client
to
Level 15
this will allow enable and also limit your shell options to 10 and the command set you created
05-02-2011 08:00 PM
That was it! Thanks a lot!
Roman
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: