Re: Cisco Pix515e or ASA Auto Enable Mode using Cisco ACS AAA

rholtby · ‎06-12-2007

I have AAA authenication working on our PIX and Switches with a backend Cisco ACS server. I'm able to login via Cisco Radius in enable mode on the Cat switches. Problem I have is I'm not sure of what is required to go right into enable mode on the Pix's/ASA's so that I don't have to type in the enable password when logging into the PIX. Here is my command I use on the Switches which automatically puts me into enable mode when I login successfully with Cisco ACS Radius LDAP authenication.

aaa new-model

!

aaa authentication login CiscoACS group radius local

!

aaa authorization exec CiscoACS group radius local if-authenticated

!

line vty 0 15

authorization exec CiscoACS

login authentication CiscoACS

Does anyone know what is the command I can use that would allow me to get authorization exec on a PIX or ASA 5505?

Premdeep Banga · ‎06-12-2007

Hi,

PIX/ASA works in a different way then IOS devices does.

what you seek is not possible. We do not have something as EXEC authorization on PIX/ASA, so we cannot go directly into enable/privileged mode.

Reason for this is, Under normal circumstances, the AAA server could reply to the initial authentication/authorization request with "priv-lvl", and the users session would assume this level, without having to enter and additional commands (like ).

But such feature is not available on PIX/ASA.

Regards,

Prem

raviluchmun · ‎06-15-2015

Hi,

Actually it is possible - i can't be sure if it is the new version of ASA that allows it.

I am running asa916-k8.bin on 5510

The command is aaa authorization exec LOCAL auto-enable

Ravi L