Enabling Privilege Levels when ACS is Down

jpecarski · ‎10-11-2011

Hi,

I have a requirement to fall back to local accounts when ACS is down. These accounts will have specific privilege levels. I have two local users - adminro and adminrw.

adminro is read only and will have a privilege level of 7.

adminrw is a full access account with a priv level of 15.

I can login with adminro when ACS is down, but when I attempt to enable using "enable 7" I receive the following ouput:

PPD-ELPUF5/pri/act> en 7

Enabling to privilege levels is not allowed when configured for

AAA authentication. Use 'enable' only.

If I login using "enable", my read only account now has full configuration access which is not desireable.

My AAA configuration is as follows:

aaa authentication ssh console ADMIN LOCAL

aaa authentication enable console ADMIN LOCAL

aaa authentication http console ADMIN LOCAL

aaa authentication telnet console ADMIN LOCAL

aaa authentication serial console ADMIN LOCAL

aaa authorization command ADMIN LOCAL

aaa accounting ssh console ADMIN

aaa accounting command privilege 15 ADMIN

aaa accounting enable console ADMIN

aaa accounting serial console ADMIN

aaa accounting telnet console ADMIN

aaa authorization exec authentication-server

username adminro password <REMOVED> encrypted privilege 7

username adminrw password <REMOVED> encrypted privilege 15

enable password <REMOVED> level 7 encrypted

enable password <REMOVED> encrypted

Is there anyway to enable the user or automatically elevate the user to privilege 7 post login like you can with a router? I cannot have the adminro account to be able to run configuration commands on the device. Running ASA version 8.2(3).

Thanks!

smitesh kharecha · ‎10-12-2011

Hi,

I think only enable will drop you into the priviledge level you have configure for that particular user...

try doing sh priviledge once you have logged using particular username and after enable.

HTH,

Smitesh

jpecarski · ‎10-12-2011

Thanks for the reply.

I performed a "show curpriv" and here are the results:

PPD-ELPUF5/pri/act# sh curpriv

Username : adminro

Current privilege level : 7

Current Mode/s : P_PRIV

Looks good, however, I can still run priv 15 commands such as "conf t".

PPD-ELPUF5/pri/act# conf t

PPD-ELPUF5/pri/act(config)#

Here are the local privilege levels I've configured....

PPD-ELPUF5/pri/act(config)# sh run privilege

privilege cmd level 7 mode exec command show

privilege cmd level 7 mode exec command ping

privilege cmd level 7 mode exec command traceroute

So at this point, the right privilege level is being used but I'm wondering why I'm able to run commands higher than level 7?

Thanks!

smitesh kharecha · ‎10-12-2011

Yup, he would be still be able to go in conf t mode, however he would not be able to do any config changes or new configs.

try editing exisiting routing protocol to check if it has priviledge level to do so or not.

Regards,

Smitesh

jpecarski · ‎10-12-2011

PPD-ELPUF5/pri/act# sh curpriv

Username : adminro

Current privilege level : 7

Current Mode/s : P_PRIV

Server Group: ADMIN

Server Protocol: tacacs+

Server Address: 1.150.1.80

Server port: 49

Server status: FAILED, Server disabled at 15:02:37 EDT Wed Oct 12 2011

Number of pending requests 0

Average round trip time 2ms

Number of authentication requests 38

Number of authorization requests 373

Number of accounting requests 149

Number of retransmissions 0

Number of accepts 307

Number of rejects 19

Number of challenges 0

Number of malformed responses 0

Number of bad authenticators 0

Number of timeouts 234

Number of unrecognized responses 0

PPD-ELPUF5/pri/act(config)# name 1.1.1.1 TEST description TEST CHANGE

PPD-ELPUF5/pri/act(config)# sh run name

name 1.1.1.1 TEST description TEST CHANGE

As you can see above, my user was able to perform a change even though it should not be allowed.

PPD-ELPUF5/pri/act(config)# sh run privilege

privilege cmd level 7 mode exec command show

privilege cmd level 7 mode exec command ping

privilege cmd level 7 mode exec command traceroute