cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1387
Views
5
Helpful
15
Replies

PIX Authorization issue

networker99
Level 1
Level 1

Using AAA on a PIX, authentication works fine and the AAA user has full rights over PIX, but aaa authorization always fails when going into conf t

1 Accepted Solution

Accepted Solutions

Hi,

This happens when we have command authorization enabled on ASA

and try to run any level 15 command on ASA.

Please check the ASA configuration and see if you are missing this command:

aaa authentication enable console LOCAL

on the ACS make sure that enable level privilege is level 15

HTH

JK

Plz rate helpful posts-

~Jatin

View solution in original post

15 Replies 15

Jatin Katyal
Cisco Employee
Cisco Employee

Hi,

If this is a ACS user, you need to add this on ACS

Under shared profile component > shell command authorization set > type

"configure" under unmatched commands: and type permit terminal under the permit unmatched args and make sure this has been applied on the user or group and then try again.

HTH

JK

Plz rate helpful posts-

~Jatin

Access is still denied. The restricted group works.. (unable to get into enable mode), but the full access group can get into enable mode but not conf t

Hi,

For the full group you just need to do this:

Under shared profile component > shell command authorization set > select the radio button permit.

If that doesn't works please send the screen shots of full access command set.

HTH

JK

Plz rate hopeful posts.

~Jatin

Issues seems to be with command authorization. It would have been better if running config is included in the original post.

What message do you see on acs failed attempt?

Any ways , please apply command set (that allows all command) on user level instead of group level.

or

Check the failed attempts and see which group you are a part of, then apply command set to that group.

Good luck!

Regards,

~JG

Do rate helpful posts

Access is still denied. The restricted group works.. (unable to get into enable mode), but the full access group can get into enable mode but not conf t

Where in ACS can I see failed authorization messages?

Reports and activities -->failed attempts

Where in ACS can I see failed authorization messages?

In the log my username shows up as "enable_15" ?? and says user unknown?

Hi,

This happens when we have command authorization enabled on ASA

and try to run any level 15 command on ASA.

Please check the ASA configuration and see if you are missing this command:

aaa authentication enable console LOCAL

on the ACS make sure that enable level privilege is level 15

HTH

JK

Plz rate helpful posts-

~Jatin

What will this command do?, Does it make me use my own individual enable password?

This command is needed to make command authorization work.

Yes, you can set your own enable password.

Regards,

~JG

Same issue was reported sometime back aswell.

Make sure you have enable authentication ,

aaa authentication ssh console TACACS LOCAL

aaa authentication telnet console TACACS LOCAL

aaa authentication enable console TACACS LOCAL

aaa authorization command TACACS LOCAL

Incase it does not work pls get aaa config

Regards,

~JG

Do rate helpful posts

yes, if you have separate enable password configured on the ACS, it will let you use that. But i would also suggest you to keep your current session open and try from a duplicate session...just a back door entry.

HTH

JK

Plz rate helpful posts-

~Jatin