02-24-2013 11:09 PM - edited 03-10-2019 08:07 PM
Hi All,
I would like to check with you all, is there anyone able to access to the Cisco ASA 8.4(2) CLI without the needs of entering the enable password?
Currently it's configured with TACACS access for CLI and ASDM.
For ASDM we got no issue and able to access and make change directly when entering own TACACS credential.
However for the CLI, we would need to type "enable" and also the enable password once login.
Is there anyway we could skip the EXEC mode and access to the PRIVILEDGE mode directly?
Many thanks for your help!
Current Config:
aaa-server xxxx protocol tacacs+
aaa-server xxxx (management) host xxxx
Regards,
Danny
Solved! Go to Solution.
02-25-2013 11:13 AM
Unfortunately, ASA does not support AAA Exec Authorization functionality yet, so it cannot be configured with TACACS or RADIUS to jump directly to privilege exec mode. We need to go through with enable authentication
like this:
===================
ASA:Username: *****
ASA:Password: *****
ASA:>enable
Password: ****
===================
This is because the ASA does not understand the cisco-avpair ="shell:priv-lvl=15" attribute.
The ASA does not support AAA Exec Authorization functionality yet, so it cannot be configured with TACACS or RADIUS.
The workaround for this issue is to manually switch from the user mode to the enable mode.
This is only supported in IOS ( Router/Switches).
Regards,
Jatin Katyal
- Do rate helpful posts -
02-25-2013 11:13 AM
Unfortunately, ASA does not support AAA Exec Authorization functionality yet, so it cannot be configured with TACACS or RADIUS to jump directly to privilege exec mode. We need to go through with enable authentication
like this:
===================
ASA:Username: *****
ASA:Password: *****
ASA:>enable
Password: ****
===================
This is because the ASA does not understand the cisco-avpair ="shell:priv-lvl=15" attribute.
The ASA does not support AAA Exec Authorization functionality yet, so it cannot be configured with TACACS or RADIUS.
The workaround for this issue is to manually switch from the user mode to the enable mode.
This is only supported in IOS ( Router/Switches).
Regards,
Jatin Katyal
- Do rate helpful posts -
03-21-2013 02:15 AM
Thanks a lot jkatyal!
Now I understand. Hope this help other as well...
08-31-2014 05:21 AM
09-03-2014 08:33 AM
Peter is correct! In addition, 9.2.1 added another nice little feature that can help you with your problem:
Improved one-time password authentication | Administrators who have sufficient authorization privileges may enter privileged EXEC mode by entering their authentication credentials once. The auto-enable option was added to the aaa authorization exec command. We modified the following command: aaa authorization exec . |
09-03-2014 09:02 AM
Thanks Neno and Peter for keep the thread/discussion updated.
09-03-2014 06:22 AM
I have video demo at
https://supportforums.cisco.com/video/12293656/asa-aaa-configuration-acs-authentication-and-authorization
regarding this. If the video is not clear, you can also try
http://www.youtube.com/watch?v=p7HIsGUdOzo
10-02-2017 02:07 AM
Hi Tharaka,
Thank you for video. I have a question though. I try to setup ACS in VMware, which was success. But at time to time it cannot access via web. Ping is fine from both side.
Can you help me out there.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide
Things have changed. (-:
ASA now understands
cisco-av-pair = priv-lvl=15
When I log in to my ASA 9.1(5), I land directly on privilege exec mode.