cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

610
Views
0
Helpful
3
Replies
turbo_engine26
Enthusiast

ASA/Router Exec Authorization

Hello Everyone,

After a user is authenticated using  TACACS+, he/she must be authorized to access the IOS or ASA shell.  However, when i just configured authentication (without authorization),  the user can still access the level 15 shell after authentication by  simply typing the "enable" command if he/she knows the enable password.  Then, What Exec authorization really does? .. Also, when we say Exec  Authorization, does it mean user-exec or privilege-exec?

Thx for your help.

AM

3 REPLIES 3
turbo_engine26
Enthusiast

Can anyone provide some help here please? ..

Hi there,

The behavior is different if this command is used in IOS or ASA, for example let's say that you have configured this command in your router "aaa authorizzation exec default group tacacs+", if you SSH/Telnet to this router than after entering the username/password you will be placed in privilege mode "#" if after retrieving the privilege level it's higher than 2, so you will be skipping the "enable" prompt.

But the syntax of this command is a little bit different in an ASA.and the behavior also changes, first of all you cannot skip the "enable" prompt in your ASA because this is a security device and this prompt is mandatory:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

"Note:

The Cisco Security Appliances (ASA/PIX) does not currently allow the           user to be placed directly into the enable mode during login. The user must           manually enter into the enable mode."

So in an ASA you won't be able to skip the "enable" prompt, so what it will do is just to retrieve the privilege level or Service-level value assigned to the user, there are multiple values like "Administrative" which is similar to privilege 15, or "NAS prompt", "Outbound", etc.

Each of these values has a different purpose, for further details check below:

http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1070306

Hope I could have provided you some light into this situation.

Hi,

Thanks for your response but it didn't answer my question.

My question wasn't asking about the privilege level attribute in ACS that helps me to jump directly to the priv. mode  and skip the enable command. My question is regarding the Exec authorization feel. I can't feel it. As mentioned, i've configured authentication with and without authorization and didn't see any difference. Both methods landed to priv. level 1 (user-exec). The only difference is the debug output shows me that authorization successful and processing AV priv-lvl=1 when i configured authorization. Also, i understand that the behavior and syntax of AAA is different in ASA. So again, i didn't ask about if the syntax or behavior of AAA is different in ASA.

Unlike Exec-Author., command authorization is more obvious so i can feel it.

Again, i don't get what is the effect of the exec-author. if i configure it or without configuring it.

Hope my question provides more clarity.

Thx

AM

Create
Recognize Your Peers
Polls
Which of these topics should we host an event in the Community?

Top Choice: ISE Demo (100%)

Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel