Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1388
Views
5
Helpful
15
Replies

PIX Authorization issue

Go to solution
networker99
Level 1
Level 1

‎10-23-2009 05:54 AM - edited ‎03-10-2019 04:45 PM

Using AAA on a PIX, authentication works fine and the AAA user has full rights over PIX, but aaa authorization always fails when going into conf t

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to networker99

‎10-23-2009 08:03 AM

Hi,

This happens when we have command authorization enabled on ASA

and try to run any level 15 command on ASA.

Please check the ASA configuration and see if you are missing this command:

aaa authentication enable console LOCAL

on the ACS make sure that enable level privilege is level 15

HTH

JK

Plz rate helpful posts-

~Jatin

View solution in original post

15 Replies 15

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee

‎10-23-2009 06:03 AM

Hi,

If this is a ACS user, you need to add this on ACS

Under shared profile component > shell command authorization set > type

"configure" under unmatched commands: and type permit terminal under the permit unmatched args and make sure this has been applied on the user or group and then try again.

HTH

JK

Plz rate helpful posts-

~Jatin
0 Helpful

Go to solution
networker99
Level 1
Level 1
In response to Jatin Katyal

‎10-23-2009 07:05 AM

Access is still denied. The restricted group works.. (unable to get into enable mode), but the full access group can get into enable mode but not conf t

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to networker99

‎10-23-2009 07:11 AM

Hi,

For the full group you just need to do this:

Under shared profile component > shell command authorization set > select the radio button permit.

If that doesn't works please send the screen shots of full access command set.

HTH

JK

Plz rate hopeful posts.

~Jatin
0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to networker99

‎10-23-2009 07:14 AM

Issues seems to be with command authorization. It would have been better if running config is included in the original post.

What message do you see on acs failed attempt?

Any ways , please apply command set (that allows all command) on user level instead of group level.

or

Check the failed attempts and see which group you are a part of, then apply command set to that group.

Good luck!

Regards,

~JG

Do rate helpful posts

0 Helpful

Go to solution
networker99
Level 1
Level 1
In response to Jatin Katyal

‎10-23-2009 07:16 AM

Access is still denied. The restricted group works.. (unable to get into enable mode), but the full access group can get into enable mode but not conf t

0 Helpful

Go to solution
networker99
Level 1
Level 1
In response to networker99

‎10-23-2009 07:36 AM

Where in ACS can I see failed authorization messages?

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to networker99

‎10-23-2009 07:40 AM

Reports and activities -->failed attempts

0 Helpful

Go to solution
networker99
Level 1
Level 1
In response to networker99

‎10-23-2009 07:57 AM

Where in ACS can I see failed authorization messages?

0 Helpful

Go to solution
networker99
Level 1
Level 1
In response to networker99

‎10-23-2009 07:58 AM

In the log my username shows up as "enable_15" ?? and says user unknown?

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to networker99

‎10-23-2009 08:03 AM

Hi,

This happens when we have command authorization enabled on ASA

and try to run any level 15 command on ASA.

Please check the ASA configuration and see if you are missing this command:

aaa authentication enable console LOCAL

on the ACS make sure that enable level privilege is level 15

HTH

JK

Plz rate helpful posts-

~Jatin

Go to solution
networker99
Level 1
Level 1
In response to Jatin Katyal

‎10-23-2009 08:07 AM

What will this command do?, Does it make me use my own individual enable password?

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to networker99

‎10-23-2009 08:10 AM

This command is needed to make command authorization work.

Yes, you can set your own enable password.

Regards,

~JG

0 Helpful

Go to solution
Jagdeep Gambhir
Level 10
Level 10
In response to networker99

‎10-23-2009 08:07 AM

Same issue was reported sometime back aswell.

Make sure you have enable authentication ,

aaa authentication ssh console TACACS LOCAL

aaa authentication telnet console TACACS LOCAL

aaa authentication enable console TACACS LOCAL

aaa authorization command TACACS LOCAL

Incase it does not work pls get aaa config

Regards,

~JG

Do rate helpful posts

0 Helpful

Go to solution
Jatin Katyal
Cisco Employee
Cisco Employee
In response to Jagdeep Gambhir

‎10-23-2009 08:38 AM

yes, if you have separate enable password configured on the ACS, it will let you use that. But i would also suggest you to keep your current session open and try from a duplicate session...just a back door entry.

HTH

JK

Plz rate helpful posts-

~Jatin
0 Helpful
Customers Also Viewed These Support Documents