Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
34611
Views
77
Helpful
14
Replies

Login to ASA with Enable Mode

Go to solution
Scott Pickles
Level 4
Level 4

‎02-01-2012 07:35 AM - edited ‎03-10-2019 06:47 PM

I've seen some posts on the forum regarding the use of AAA to login to an ASA in enable mode.  I'm using a Server 2008 R2 NPS server, and I can successfully login.  However, I'm using the NPS server to send back the Cisco AV-pair for 'priv-lvl=15'.  I am expecting to login to the ASA and be in enable mode.  I have seen other posts reference TACACS+, but we don't have ACS.  Is TACACS+ a requirement for this?  I remember reading in some other forums that it's a security feature on the ASA to not allow logging in directly to the enable mode.

Regards,
Scott

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎02-01-2012 12:59 PM

Scott

I believe that you are correct that it is a security feature of the ASA that it will not allow you to login to the ASA and go directly to enable mode. I believe that this is the behavior whether the authentication servers uses TACACS or any other authentication protocol.

HTH

Rick

HTH

Rick

View solution in original post

0 Helpful

Go to solution
gbanta001
Level 1
Level 1
In response to Richard Burts

‎08-09-2017 12:40 PM

This works for local accounts only on the ASA, you cannot getting into enable mode directly via SSH using Radius or LDAP.  This is because this is a security device.

View solution in original post

0 Helpful
14 Replies 14

Go to solution
Richard Burts
Hall of Fame
Hall of Fame

‎02-01-2012 12:59 PM

Scott

I believe that you are correct that it is a security feature of the ASA that it will not allow you to login to the ASA and go directly to enable mode. I believe that this is the behavior whether the authentication servers uses TACACS or any other authentication protocol.

HTH

Rick

HTH

Rick
0 Helpful

Go to solution
raviluchmun
Level 1
Level 1
In response to Richard Burts

‎06-15-2015 01:34 PM

Hi,

Actually it is possible - i can't be sure if it is the new version of ASA that allows it.

I am running asa916-k8.bin on 5510

 

The command is aaa authorization exec LOCAL auto-enable

 

When I ssh to my ASA, I enter my username and password and I am at priv exec mode straight away.

Try it and let me know.

Ravi L

Go to solution
Richard Burts
Hall of Fame
Hall of Fame
In response to raviluchmun

‎06-16-2015 06:09 AM

Ravi L

 

That is an interesting development. Thanks for letting us know that the behavior of ASA has changed.

 

HTH

 

Rick

HTH

Rick
0 Helpful

Go to solution
gbanta001
Level 1
Level 1
In response to Richard Burts

‎08-09-2017 12:40 PM

This works for local accounts only on the ASA, you cannot getting into enable mode directly via SSH using Radius or LDAP.  This is because this is a security device.

0 Helpful

Go to solution
kskhanna
Level 4
Level 4
In response to gbanta001

‎08-09-2017 07:56 PM

Works fine with ssh with Tacacs authentication!

0 Helpful

Go to solution
j-sutterfield
Level 1
Level 1
In response to gbanta001

‎02-13-2019 08:57 AM

The command you need for ssh against tacacs to work is:
aaa authorization exec authentication-server auto-enable

Go to solution
kskhanna
Level 4
Level 4
In response to raviluchmun

‎08-17-2015 12:04 PM

That is correct, For all the years ASA dev team would not entertain to add this feature but finally they made the change beginning code 9.2.1 where they introduced the "Auto-enable" command

 

aaa authorization exec { authentication-server | LOCAL } [ auto-enable ]

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a1.html

 

 

auto-enable

Enables administrators who have sufficient authorization privileges to enter privileged EXEC mode by entering their authentication credentials once.

Go to solution
Luca Andreucci
Level 1
Level 1
In response to kskhanna

‎10-11-2017 06:38 AM - edited ‎10-11-2017 06:38 AM

aaa authorization exec { authentication-server | LOCAL } [ auto-enable ]

too bad this does not seem to work with pubkey authentication

(trying on Version 9.1(6) )

 

0 Helpful

Go to solution
chambiyal
Level 1
Level 1
In response to raviluchmun

‎10-20-2023 06:59 AM

Thank you Ravi, it works!!

0 Helpful

Go to solution
ashmatash1
Level 1
Level 1
In response to Richard Burts

‎02-08-2018 01:18 PM

Pretty sure the answer saying its not possible is wrong

0 Helpful

Go to solution
Majed Zouhairy
Level 1
Level 1
In response to ashmatash1

‎12-04-2018 11:44 PM

no dear you are wrong, just tried it and it is awesome, before that from console it would log into enable mode, but not from ssh, and the enable password would always be wrong for some reason. Until ACS is connected this is great!

0 Helpful

Go to solution
camejia
Level 3
Level 3

‎02-01-2012 02:05 PM

Hello Scott,

Confirming Richard statement from AAA perspective. The ASA will not allow you to get directly into Enable Mode when returning Privilege Level 15. The feature is only implemented on IOS devices. The ASA is considered a security device and it will not put you directly on Enable Mode as IOS does.

Regards.

0 Helpful

Go to solution
alextomko
Level 1
Level 1
In response to camejia

‎03-06-2019 11:02 AM - edited ‎06-12-2019 12:53 PM

 

 

 

0 Helpful

Go to solution
ccie4297
Level 1
Level 1

‎12-07-2022 06:22 AM

This works with NPS as the RADIUS server to my ASA5545-X as well... just need to do a little policy config on the NPS side.  

aaa authentication enable console NPS_RADIUS LOCAL
aaa authentication ssh console NPS_RADIUS LOCAL
aaa authorization exec authentication-server auto-enable

 

sh ver

Cisco Adaptive Security Appliance Software Version 9.14(4)17

 

0 Helpful
Customers Also Viewed These Support Documents