cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

3547
Views
14
Helpful
7
Replies
ckhoodanny
Beginner

Bypass EXEC Mode when login in SSH for ASA 8.4(2)

Hi All,

I would like to check with you all, is there anyone able to access to the Cisco ASA 8.4(2) CLI without the needs of entering the enable password?

Currently it's configured with TACACS access for CLI and ASDM.

For ASDM we got no issue and able to access and make change directly when entering own TACACS credential.

However for the CLI, we would need to type "enable" and also the enable password once login.

Is there anyway we could skip the EXEC mode and access to the PRIVILEDGE mode directly?

Many thanks for your help!

Current Config:

aaa-server xxxx protocol tacacs+

aaa-server xxxx (management) host xxxx

Regards,

Danny

1 ACCEPTED SOLUTION

Accepted Solutions
Jatin Katyal
Cisco Employee

Unfortunately, ASA does not support AAA Exec Authorization functionality yet, so it cannot be configured with TACACS or RADIUS to jump directly to privilege exec mode. We need to go through with enable authentication

like this:

===================

ASA:Username: *****

ASA:Password: *****

ASA:>enable

Password: ****

===================

This is because the ASA does not understand the cisco-avpair ="shell:priv-lvl=15" attribute.

The ASA does not support AAA Exec Authorization functionality yet, so it cannot be configured with TACACS or RADIUS.

The workaround for this issue is to manually switch from the user mode to the enable mode.

This is only supported in IOS ( Router/Switches).

Regards,

Jatin Katyal


- Do rate helpful posts -

~Jatin

View solution in original post

7 REPLIES 7
Jatin Katyal
Cisco Employee

Unfortunately, ASA does not support AAA Exec Authorization functionality yet, so it cannot be configured with TACACS or RADIUS to jump directly to privilege exec mode. We need to go through with enable authentication

like this:

===================

ASA:Username: *****

ASA:Password: *****

ASA:>enable

Password: ****

===================

This is because the ASA does not understand the cisco-avpair ="shell:priv-lvl=15" attribute.

The ASA does not support AAA Exec Authorization functionality yet, so it cannot be configured with TACACS or RADIUS.

The workaround for this issue is to manually switch from the user mode to the enable mode.

This is only supported in IOS ( Router/Switches).

Regards,

Jatin Katyal


- Do rate helpful posts -

~Jatin

View solution in original post

Thanks a lot jkatyal!

Now I understand. Hope this help other as well...

Things have changed. (-:

ASA now understands

         cisco-av-pair = priv-lvl=15

When I log in to my ASA 9.1(5), I land directly on privilege exec mode.

Peter is correct! In addition, 9.2.1 added another nice little feature that can help you with your problem:

 

Improved one-time password authentication

Administrators who have sufficient authorization privileges may enter privileged EXEC mode by entering their authentication credentials once. The auto-enable option was added to the aaa authorization exec command.

We modified the following command: aaa authorization exec .

Thanks Neno and Peter for keep the thread/discussion updated.

~Jatin

I have video demo at

https://supportforums.cisco.com/video/12293656/asa-aaa-configuration-acs-authentication-and-authorization

regarding this. If the video is not clear, you can also try

http://www.youtube.com/watch?v=p7HIsGUdOzo

Hi Tharaka,

 

Thank you for video. I have a question though. I try to setup ACS in VMware, which was success. But at time to time it cannot access via web. Ping is fine from both side. 

 

Can you help me out there.

 

 

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars


Miss a previous ISE webinar?
Never miss one again!

CiscoISE on YouTube