Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
4202
Views
14
Helpful
7
Replies

Bypass EXEC Mode when login in SSH for ASA 8.4(2)

Go to solution
ckhoodanny
Level 1
Level 1

‎02-24-2013 11:09 PM - edited ‎03-10-2019 08:07 PM

Hi All,

I would like to check with you all, is there anyone able to access to the Cisco ASA 8.4(2) CLI without the needs of entering the enable password?

Currently it's configured with TACACS access for CLI and ASDM.

For ASDM we got no issue and able to access and make change directly when entering own TACACS credential.

However for the CLI, we would need to type "enable" and also the enable password once login.

Is there anyway we could skip the EXEC mode and access to the PRIVILEDGE mode directly?

Many thanks for your help!

Current Config:

aaa-server xxxx protocol tacacs+

aaa-server xxxx (management) host xxxx

Regards,

Danny

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎02-25-2013 11:13 AM

Unfortunately, ASA does not support AAA Exec Authorization functionality yet, so it cannot be configured with TACACS or RADIUS to jump directly to privilege exec mode. We need to go through with enable authentication

like this:

===================

ASA:Username: *****

ASA:Password: *****

ASA:>enable

Password: ****

===================

This is because the ASA does not understand the cisco-avpair ="shell:priv-lvl=15" attribute.

The ASA does not support AAA Exec Authorization functionality yet, so it cannot be configured with TACACS or RADIUS.

The workaround for this issue is to manually switch from the user mode to the enable mode.

This is only supported in IOS ( Router/Switches).

Regards,

Jatin Katyal


- Do rate helpful posts -

~Jatin

View solution in original post

7 Replies 7

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎02-25-2013 11:13 AM

Unfortunately, ASA does not support AAA Exec Authorization functionality yet, so it cannot be configured with TACACS or RADIUS to jump directly to privilege exec mode. We need to go through with enable authentication

like this:

===================

ASA:Username: *****

ASA:Password: *****

ASA:>enable

Password: ****

===================

This is because the ASA does not understand the cisco-avpair ="shell:priv-lvl=15" attribute.

The ASA does not support AAA Exec Authorization functionality yet, so it cannot be configured with TACACS or RADIUS.

The workaround for this issue is to manually switch from the user mode to the enable mode.

This is only supported in IOS ( Router/Switches).

Regards,

Jatin Katyal


- Do rate helpful posts -

~Jatin

Go to solution
ckhoodanny
Level 1
Level 1
In response to Jatin Katyal

‎03-21-2013 02:15 AM

Thanks a lot jkatyal!

Now I understand. Hope this help other as well...

0 Helpful

Go to solution
Peter Koltl
Level 7
Level 7
In response to ckhoodanny

‎08-31-2014 05:21 AM

Things have changed. (-:

ASA now understands

         cisco-av-pair = priv-lvl=15

When I log in to my ASA 9.1(5), I land directly on privilege exec mode.

0 Helpful

Go to solution
nspasov
Cisco Employee
Cisco Employee
In response to Peter Koltl

‎09-03-2014 08:33 AM

Peter is correct! In addition, 9.2.1 added another nice little feature that can help you with your problem:

 

Improved one-time password authentication

Administrators who have sufficient authorization privileges may enter privileged EXEC mode by entering their authentication credentials once. The auto-enable option was added to the aaa authorization exec command.

We modified the following command: aaa authorization exec .

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to nspasov

‎09-03-2014 09:02 AM

Thanks Neno and Peter for keep the thread/discussion updated.

~Jatin
0 Helpful

Go to solution
H G S Tharaka Kariyawasam
Level 1
Level 1
In response to ckhoodanny

‎09-03-2014 06:22 AM

I have video demo at

https://supportforums.cisco.com/video/12293656/asa-aaa-configuration-acs-authentication-and-authorization

regarding this. If the video is not clear, you can also try

http://www.youtube.com/watch?v=p7HIsGUdOzo

Go to solution
prashanma
Level 1
Level 1
In response to H G S Tharaka Kariyawasam

‎10-02-2017 02:07 AM

Hi Tharaka,

 

Thank you for video. I have a question though. I try to setup ACS in VMware, which was success. But at time to time it cannot access via web. Ping is fine from both side. 

 

Can you help me out there.

 

 

0 Helpful
Customers Also Viewed These Support Documents