Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
738
Views
0
Helpful
3
Replies

ASA/Router Exec Authorization

turbo_engine26
Level 4
Level 4

‎12-24-2012 09:33 AM - edited ‎03-10-2019 07:54 PM

Hello Everyone,

After a user is authenticated using  TACACS+, he/she must be authorized to access the IOS or ASA shell.  However, when i just configured authentication (without authorization),  the user can still access the level 15 shell after authentication by  simply typing the "enable" command if he/she knows the enable password.  Then, What Exec authorization really does? .. Also, when we say Exec  Authorization, does it mean user-exec or privilege-exec?

Thx for your help.

AM

Labels:
0 Helpful
3 Replies 3

turbo_engine26
Level 4
Level 4

‎12-28-2012 11:08 AM

Can anyone provide some help here please? ..

0 Helpful

mauzamor
Level 1
Level 1
In response to turbo_engine26

‎12-28-2012 11:35 AM

Hi there,

The behavior is different if this command is used in IOS or ASA, for example let's say that you have configured this command in your router "aaa authorizzation exec default group tacacs+", if you SSH/Telnet to this router than after entering the username/password you will be placed in privilege mode "#" if after retrieving the privilege level it's higher than 2, so you will be skipping the "enable" prompt.

But the syntax of this command is a little bit different in an ASA.and the behavior also changes, first of all you cannot skip the "enable" prompt in your ASA because this is a security device and this prompt is mandatory:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

"Note:

The Cisco Security Appliances (ASA/PIX) does not currently allow the           user to be placed directly into the enable mode during login. The user must           manually enter into the enable mode."

So in an ASA you won't be able to skip the "enable" prompt, so what it will do is just to retrieve the privilege level or Service-level value assigned to the user, there are multiple values like "Administrative" which is similar to privilege 15, or "NAS prompt", "Outbound", etc.

Each of these values has a different purpose, for further details check below:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1070306

Hope I could have provided you some light into this situation.

0 Helpful

turbo_engine26
Level 4
Level 4
In response to mauzamor

‎12-28-2012 01:02 PM

Hi,

Thanks for your response but it didn't answer my question.

My question wasn't asking about the privilege level attribute in ACS that helps me to jump directly to the priv. mode  and skip the enable command. My question is regarding the Exec authorization feel. I can't feel it. As mentioned, i've configured authentication with and without authorization and didn't see any difference. Both methods landed to priv. level 1 (user-exec). The only difference is the debug output shows me that authorization successful and processing AV priv-lvl=1 when i configured authorization. Also, i understand that the behavior and syntax of AAA is different in ASA. So again, i didn't ask about if the syntax or behavior of AAA is different in ASA.

Unlike Exec-Author., command authorization is more obvious so i can feel it.

Again, i don't get what is the effect of the exec-author. if i configure it or without configuring it.

Hope my question provides more clarity.

Thx

AM

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents