ANNOUNCEMENT - The community will be down for maintenace this Thursday August 13 from 12:00 AM PT to 02:00 AM PT. As a precaution save your work.
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Announcements
Announcements
Choose one of the topics below to view our ISE Resources to help you on your journey with ISE

This community is for technical, feature, configuration and deployment questions.
For production deployment issues, please contact the TAC! We will not comment or assist with your TAC case in these forums.
Please see How to Ask the Community for Help for other best practices.

22386
Views
60
Helpful
12
Replies
Highlighted
Enthusiast

Login to ASA with Enable Mode

I've seen some posts on the forum regarding the use of AAA to login to an ASA in enable mode.  I'm using a Server 2008 R2 NPS server, and I can successfully login.  However, I'm using the NPS server to send back the Cisco AV-pair for 'priv-lvl=15'.  I am expecting to login to the ASA and be in enable mode.  I have seen other posts reference TACACS+, but we don't have ACS.  Is TACACS+ a requirement for this?  I remember reading in some other forums that it's a security feature on the ASA to not allow logging in directly to the enable mode.

Regards,
Scott

Everyone's tags (6)
2 ACCEPTED SOLUTIONS

Accepted Solutions
Highlighted
Hall of Fame Guru

Login to ASA with Enable Mode

Scott

I believe that you are correct that it is a security feature of the ASA that it will not allow you to login to the ASA and go directly to enable mode. I believe that this is the behavior whether the authentication servers uses TACACS or any other authentication protocol.

HTH

Rick

HTH

Rick

View solution in original post

Highlighted
Beginner

This works for local accounts

This works for local accounts only on the ASA, you cannot getting into enable mode directly via SSH using Radius or LDAP.  This is because this is a security device.

View solution in original post

12 REPLIES 12
Highlighted
Hall of Fame Guru

Login to ASA with Enable Mode

Scott

I believe that you are correct that it is a security feature of the ASA that it will not allow you to login to the ASA and go directly to enable mode. I believe that this is the behavior whether the authentication servers uses TACACS or any other authentication protocol.

HTH

Rick

HTH

Rick

View solution in original post

Highlighted
Beginner

Hi,Actually it is possible -

Hi,

Actually it is possible - i can't be sure if it is the new version of ASA that allows it.

I am running asa916-k8.bin on 5510

 

The command is aaa authorization exec LOCAL auto-enable

 

When I ssh to my ASA, I enter my username and password and I am at priv exec mode straight away.

Try it and let me know.

Ravi L

Highlighted
Hall of Fame Guru

Ravi L That is an interesting

Ravi L

 

That is an interesting development. Thanks for letting us know that the behavior of ASA has changed.

 

HTH

 

Rick

HTH

Rick
Highlighted
Beginner

This works for local accounts

This works for local accounts only on the ASA, you cannot getting into enable mode directly via SSH using Radius or LDAP.  This is because this is a security device.

View solution in original post

Highlighted
Enthusiast

Works fine with ssh with

Works fine with ssh with Tacacs authentication!

Highlighted
Beginner

Re: This works for local accounts

The command you need for ssh against tacacs to work is:
aaa authorization exec authentication-server auto-enable

Highlighted
Enthusiast

That is correct, For all the

That is correct, For all the years ASA dev team would not entertain to add this feature but finally they made the change beginning code 9.2.1 where they introduced the "Auto-enable" command

 

aaa authorization exec { authentication-server | LOCAL } [ auto-enable ]

http://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a1.html

 

 

auto-enable

Enables administrators who have sufficient authorization privileges to enter privileged EXEC mode by entering their authentication credentials once.

Highlighted
Beginner

doesn't seem to work with pubkey auth


aaa authorization exec { authentication-server | LOCAL } [ auto-enable ]


too bad this does not seem to work with pubkey authentication

(trying on Version 9.1(6) )

 

Highlighted
Beginner

Re: Login to ASA with Enable Mode

Pretty sure the answer saying its not possible is wrong

Highlighted
Beginner

Re: Login to ASA with Enable Mode

no dear you are wrong, just tried it and it is awesome, before that from console it would log into enable mode, but not from ssh, and the enable password would always be wrong for some reason. Until ACS is connected this is great!

Highlighted
Participant

Login to ASA with Enable Mode

Hello Scott,

Confirming Richard statement from AAA perspective. The ASA will not allow you to get directly into Enable Mode when returning Privilege Level 15. The feature is only implemented on IOS devices. The ASA is considered a security device and it will not put you directly on Enable Mode as IOS does.

Regards.

Highlighted
Beginner

Re: Login to ASA with Enable Mode