cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

26827
Views
65
Helpful
12
Replies
Scott Pickles
Enthusiast

Login to ASA with Enable Mode

I've seen some posts on the forum regarding the use of AAA to login to an ASA in enable mode.  I'm using a Server 2008 R2 NPS server, and I can successfully login.  However, I'm using the NPS server to send back the Cisco AV-pair for 'priv-lvl=15'.  I am expecting to login to the ASA and be in enable mode.  I have seen other posts reference TACACS+, but we don't have ACS.  Is TACACS+ a requirement for this?  I remember reading in some other forums that it's a security feature on the ASA to not allow logging in directly to the enable mode.

Regards,
Scott

2 ACCEPTED SOLUTIONS

Accepted Solutions
Richard Burts
Hall of Fame Guru

Scott

I believe that you are correct that it is a security feature of the ASA that it will not allow you to login to the ASA and go directly to enable mode. I believe that this is the behavior whether the authentication servers uses TACACS or any other authentication protocol.

HTH

Rick

HTH

Rick

View solution in original post

This works for local accounts only on the ASA, you cannot getting into enable mode directly via SSH using Radius or LDAP.  This is because this is a security device.

View solution in original post

12 REPLIES 12
Richard Burts
Hall of Fame Guru

Scott

I believe that you are correct that it is a security feature of the ASA that it will not allow you to login to the ASA and go directly to enable mode. I believe that this is the behavior whether the authentication servers uses TACACS or any other authentication protocol.

HTH

Rick

HTH

Rick

View solution in original post

Hi,

Actually it is possible - i can't be sure if it is the new version of ASA that allows it.

I am running asa916-k8.bin on 5510

 

The command is aaa authorization exec LOCAL auto-enable

 

When I ssh to my ASA, I enter my username and password and I am at priv exec mode straight away.

Try it and let me know.

Ravi L

Ravi L

 

That is an interesting development. Thanks for letting us know that the behavior of ASA has changed.

 

HTH

 

Rick

HTH

Rick

This works for local accounts only on the ASA, you cannot getting into enable mode directly via SSH using Radius or LDAP.  This is because this is a security device.

View solution in original post

Works fine with ssh with Tacacs authentication!

The command you need for ssh against tacacs to work is:
aaa authorization exec authentication-server auto-enable

That is correct, For all the years ASA dev team would not entertain to add this feature but finally they made the change beginning code 9.2.1 where they introduced the "Auto-enable" command

 

aaa authorization exec { authentication-server | LOCAL } [ auto-enable ]

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a1.html

 

 

auto-enable

Enables administrators who have sufficient authorization privileges to enter privileged EXEC mode by entering their authentication credentials once.


aaa authorization exec { authentication-server | LOCAL } [ auto-enable ]


too bad this does not seem to work with pubkey authentication

(trying on Version 9.1(6) )

 

Pretty sure the answer saying its not possible is wrong

no dear you are wrong, just tried it and it is awesome, before that from console it would log into enable mode, but not from ssh, and the enable password would always be wrong for some reason. Until ACS is connected this is great!

camejia
Participant

Hello Scott,

Confirming Richard statement from AAA perspective. The ASA will not allow you to get directly into Enable Mode when returning Privilege Level 15. The feature is only implemented on IOS devices. The ASA is considered a security device and it will not put you directly on Enable Mode as IOS does.

Regards.

 

 

 

Create
Recognize Your Peers
Content for Community-Ad

ISE Webinars



Did you miss a previous ISE webinar?

CiscoISE YouTube Channel