12-28-2010 08:16 AM - edited 03-10-2019 05:40 PM
Hi all
I have configured ASA firewall for command authorization with ACS.For users with privilege level 15 it is working fine.But when i login with users with privilege level 0, first when i enter the username and password ,it enters into enable mode.But after that when i put the enable password ,it is not working.password is not working.I configured to use the same PAP password option in the ACS enable section for the user.Also is it possible in ASA is it possible when user enters username and password,he could directly log into the exec mode rather than enable mode and assign privilege for the user as configured in the ACS user configuration.
Thanks in advance
Anvar
Solved! Go to Solution.
12-28-2010 10:38 AM
12-28-2010 08:22 AM
Hi ,
I think that you should add :
aaa authentication enable console
Do you want to have the enable via tacacs ?
You can create a group privilege 15 and deny unwanted commands.
Dan
12-28-2010 08:25 AM
Hi Dan
I have alredy configured enable password using tacacs+.Please find my aaa config on ASA
aaa authentication telnet console TACACS-SERVER LOCAL
aaa authentication http console TACACS-SERVER LOCAL
aaa authentication ssh console TACACS-SERVER LOCAL
aaa authentication enable console TACACS-SERVER LOCAL
aaa authentication serial console LOCAL
aaa authorization command TACACS-SERVER LOCAL
aaa accounting telnet console TACACS-SERVER
aaa accounting command TACACS-SERVER
aaa accounting ssh console TACACS-SERVER
regards
anvar
12-28-2010 08:32 AM
I think that the problem is that you assign the privilege level to 0.
So the user will be able to use only level 0 commands.
I think that the best way will be to set the privilege to 15 , and deny/allow commands.
Dan
12-28-2010 08:57 AM
Hi Dan
Thanks man .it works fine for ASA.but when i applied same configuration on FWSM,it works for user with read and write access.But for read only access users.command its showing command authorization failed .when i enter username and password it is going to enable mode.but when i enter enable its showing command authorization failed, not allowing me to enter exec mode.Please help to solve this.
Also is it possible to enter exec mode without enable mode directly like routers and switches
regards
Anvar
12-28-2010 09:49 AM
Anvar ,
"command authorization failed" tells you that the user has no right to enter that command.
Currently , as far as i know , you cannot direcly go to privilege level 15.
Dan
12-28-2010 09:56 AM
Thanks Dan
But same command and user is working fine for ASA.But for fwsm when i put "enable" to get into enable mode its showing the error.i wonder how it is working for ASA and not for FWSM
Regards
Anvar
12-28-2010 10:02 AM
Anvar ,
can you add enable command , on the permit list ?
Dan
12-28-2010 10:06 AM
12-28-2010 10:38 AM
Can you try a
debug aaa authorization
Dan
12-28-2010 10:47 AM
Dan
Thanks very much Dan.Actually aaa requests were going to ACS2 .and I configured authorization sets on ACS1.After replication its workink fine.Thanks very much for your support
Regards
Anvar
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide