Solved: Re: ASA 8.2(3): can't "enable" TACACS ACS4.2 user with privilege

Roman Rodichev · ‎04-30-2011

I can't seem to enable in ASA with a non-15 privilege level user configured in ACS 4.2 (tacacs).

When I enable in IOS device, it enables and "show privilege" shows level 10 as expected. ACS should be configured correctly as it works fine with IOS. User is not set with explicit settings. Group is set with "max enable level" 15 and "shell exec priv level" 15. The enable password is set to the internal ACS PAP password. Works fine in IOS.

When I enable in ASA, it fails to enable, and ACS log says "Tacacs+ enable privilege too low". I suspect that ASA tries to enable into level 15 explicitely. If I try to issue "enable 10" command in ASA it says:

Enabling to privilege levels is not allowed when configured for

AAA authentication. Use 'enable' only.

My config (only showing relevant commands):

aaa authentication telnet console mmsacs01 LOCAL

aaa authentication enable console mmsacs01 LOCAL

aaa authorization command mmsacs01 LOCAL

aaa authorization exec authentication-server

Thanks!

Calvin Ryver · ‎05-02-2011

Set the Enable Options in the grp to

Max Priv for any AAA Client

to

Level 15

this will allow enable and also limit your shell options to 10 and the command set you created

View solution in original post

Calvin Ryver · ‎05-02-2011

Set the Enable Options in the grp to

Max Priv for any AAA Client

to

Level 15

this will allow enable and also limit your shell options to 10 and the command set you created

Roman Rodichev · ‎05-02-2011

That was it! Thanks a lot!

Roman

ASA 8.2(3): can't "enable" TACACS ACS4.2 user with privilege level 10