Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Create a new article
13797
Views
0
Helpful
2
Comments

The AAA Exec Authorization with RADIUS or TACACS fails to work on the ASA

TCC_2
Level 10
Level 10

‎06-22-2009 04:02 PM - edited ‎02-21-2020 09:55 PM

Core issue

The Authentication, Authorization, and Accounting (AAA) clients fail to directly log into enable mode after authentication on an ASA.

Resolution

This issue occurs because the ASA does not understand the cisco-avpair = "shell:priv-lvl=15" attribute.

The ASA supports AAA Exec Authorization functionality starting from ASA version 8.0(2).The command aaa authorization exec authentication-server can be used to configure this feature.

ASA versions earlier to 8.0(2) does not support this functionality and so it cannot be configured with TACACS or RADIUS. The workaround is to manually switch from the user mode to the enable mode.

Labels:
0 Helpful
Comments
kussriva
Level 1
Level 1
‎01-06-2010 06:18 PM

Hi,

The exec authorization implementation is a bit different in the ASA than in the Router/Switches. In the routers and switches, with the exec authorization we can configure a user to fall into the exec mode directly by assigning a privilege level from the authentication server itself. For radius this can be done by using cisco-avpair = "shell:priv-lvl=" the level you want to assign.

However ASA still doesn't understand the "shell:priv-lvl" attribute. So if you configure Shell authorization on the ASA, you can limit the CLI access by pushing certain attributes.

If you push the radius attribute "Service-type =Administrative" you would have full access on the CLI and the ASDM.If you push the "Service-type=NAS-Prompt" you would have access to the ASDM but no access to the CLI.

But for this we should have configured the "enable authentication".

For Tacacs protocol, if you have the option for "Shell" checked only then user would be able to authenticate.

Regards,

Kush

plao
Cisco Employee
Cisco Employee
‎01-21-2010 03:23 PM

Hi:

Sorry but I am not sure if I understand this correctly, so using the aaa authorization exec authentication-server command on the ASA running 8.0(2) or later release, the ASA will still not understand the cisco-avpair = "shell:priv-lvl=15" attribute?

Or did I mis-understood it?

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents