12-24-2012 09:33 AM - edited 03-10-2019 07:54 PM
Hello Everyone,
After a user is authenticated using TACACS+, he/she must be authorized to access the IOS or ASA shell. However, when i just configured authentication (without authorization), the user can still access the level 15 shell after authentication by simply typing the "enable" command if he/she knows the enable password. Then, What Exec authorization really does? .. Also, when we say Exec Authorization, does it mean user-exec or privilege-exec?
Thx for your help.
AM
12-28-2012 11:08 AM
Can anyone provide some help here please? ..
12-28-2012 11:35 AM
Hi there,
The behavior is different if this command is used in IOS or ASA, for example let's say that you have configured this command in your router "aaa authorizzation exec default group tacacs+", if you SSH/Telnet to this router than after entering the username/password you will be placed in privilege mode "#" if after retrieving the privilege level it's higher than 2, so you will be skipping the "enable" prompt.
But the syntax of this command is a little bit different in an ASA.and the behavior also changes, first of all you cannot skip the "enable" prompt in your ASA because this is a security device and this prompt is mandatory:
"Note:
The Cisco Security Appliances (ASA/PIX) does not currently allow the user to be placed directly into the enable mode during login. The user must manually enter into the enable mode."
So in an ASA you won't be able to skip the "enable" prompt, so what it will do is just to retrieve the privilege level or Service-level value assigned to the user, there are multiple values like "Administrative" which is similar to privilege 15, or "NAS prompt", "Outbound", etc.
Each of these values has a different purpose, for further details check below:
http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1070306
Hope I could have provided you some light into this situation.
12-28-2012 01:02 PM
Hi,
Thanks for your response but it didn't answer my question.
My question wasn't asking about the privilege level attribute in ACS that helps me to jump directly to the priv. mode and skip the enable command. My question is regarding the Exec authorization feel. I can't feel it. As mentioned, i've configured authentication with and without authorization and didn't see any difference. Both methods landed to priv. level 1 (user-exec). The only difference is the debug output shows me that authorization successful and processing AV priv-lvl=1 when i configured authorization. Also, i understand that the behavior and syntax of AAA is different in ASA. So again, i didn't ask about if the syntax or behavior of AAA is different in ASA.
Unlike Exec-Author., command authorization is more obvious so i can feel it.
Again, i don't get what is the effect of the exec-author. if i configure it or without configuring it.
Hope my question provides more clarity.
Thx
AM
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide