cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
13921
Views
0
Helpful
2
Comments
TCC_2
Level 10
Level 10

Core issue

The Authentication, Authorization, and Accounting (AAA) clients fail to directly log into enable mode after authentication on an ASA.

Resolution

This issue occurs because the ASA does not understand the cisco-avpair = "shell:priv-lvl=15" attribute.

The ASA supports AAA Exec Authorization functionality starting from ASA version 8.0(2).The command aaa authorization exec authentication-server can be used to configure this feature.

ASA versions earlier to 8.0(2) does not support this functionality and so it cannot be configured with TACACS or RADIUS. The workaround is to manually switch from the user mode to the enable mode.

Comments
kussriva
Level 1
Level 1

Hi,

The exec authorization implementation is a bit different in the ASA than in the Router/Switches. In the routers and switches, with the exec authorization we can configure a user to fall into the exec mode directly by assigning a privilege level from the authentication server itself. For radius this can be done by using cisco-avpair = "shell:priv-lvl=" the level you want to assign.

However ASA still doesn't understand the "shell:priv-lvl" attribute. So if you configure Shell authorization on the ASA, you can limit the CLI access by pushing certain attributes.

If you push the radius attribute "Service-type =Administrative" you would have full access on the CLI and the ASDM.If you push the "Service-type=NAS-Prompt" you would have access to the ASDM but no access to the CLI.

But for this we should have configured the "enable authentication".

For Tacacs protocol, if you have the option for "Shell" checked only then user would be able to authenticate.

Regards,

Kush

plao
Cisco Employee
Cisco Employee

Hi:

Sorry but I am not sure if I understand this correctly, so using the aaa authorization exec authentication-server command on the ASA running 8.0(2) or later release, the ASA will still not understand the cisco-avpair = "shell:priv-lvl=15" attribute?

Or did I mis-understood it?

Thanks

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: