Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2643
Views
0
Helpful
4
Replies

Privilege level 15 to ASA cli administrator via Radius

ds6123
Level 1
Level 1

‎12-21-2012 09:07 AM - edited ‎03-11-2019 05:39 PM

Hello Friends!

Is this supported yet on the ASA?  I want to be able to have radius assign privilege levels to firewall cli administrators.

Upon login, I'd like them to be immediately be placed into "enabled mode" (without needing to know the local enable password).  I believe we can set the maximum privilege level the user can attain.  But for now, I simply want to have everyone go into priv level 15 without having to know the shared enable secret password.  Switching to tacacs isn't an option.

I remember finding out a while back that this was not possible.  Please tell me this is now possible.  It's almost 2013.

Labels:
0 Helpful
4 Replies 4

Marcin Latosiewicz
Cisco Employee
Cisco Employee

‎12-21-2012 09:23 AM

There is an enhancement request somewhere around for ASA and FWSM to allows authorization on login (although it might be frased differently).

AFAIU 9.0 has still this ... limiation or feature (depends who you ask).

I believe once you log in, you can enter "login" command, provide same username and password and this time authorization will be performed (i.e. your priv-lvl will be actually processed).

0 Helpful

ds6123
Level 1
Level 1
In response to Marcin Latosiewicz

‎12-21-2012 09:54 AM

Thanks Marcin!

Very interesting.  Now that you mention it, I do remember seeing someone use the login command after they had already logged in.  That's what they must have been doing.  I wonder what the thought process was in developing it this way.

I suppose a few different ways around this are (since not everyone will know of this odd behavior and I'm not the only one logging in) to configure radius to authenticate users and then either:

1.  Configure a MOTD banner that says "ATTENTION:  Type the command 'login', followed by your regular credentials AGAIN to be put into enable mode."

or

2.  Configure a MOTD banner that says "ATTENTION:  To gain enable mode privileges, type the command 'enable', followed by the password cisco.".

Horrible idea?  Thoughts?

// example of the second 'login' command working:

ssh admin@10.101.250.254

admin@10.101.250.254's password:

Warning!

Warning!

Type help or '?' for a list of available commands.

fw1> ?

  clear       Reset functions

  enable      Turn on privileged commands

  exit        Exit from the EXEC

  help        Interactive help for commands

  login       Log in as a particular user

  logout      Exit from the EXEC

  no          Negate a command or set its defaults

  ping        Send echo messages

  quit        Exit from the EXEC

  show        Show running system information

  traceroute  Trace route to destination

fw1> login

Username: admin

Password: *********

fw1#

fw1# sh run username

username admin password encrypted privilege 15

0 Helpful

Peter Koltl
Level 7
Level 7
In response to ds6123

‎12-22-2012 06:42 AM

If you are a priv15 user:

Type the command 'enable', followed by your regular password AGAIN to be put into enable mode

which is one step shorter

0 Helpful

Marcin Latosiewicz
Cisco Employee
Cisco Employee
In response to Peter Koltl

‎12-22-2012 02:34 PM

Peter,

That actually might depend on whether you have enable authentication configured.

Also on the objectives (i.e. what will you be visible in accounting records after performing "enable" command).

M.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card