Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1936
Views
0
Helpful
2
Replies

can't manage to get aaa authorization exec LOCAL auto-enable working

nlariguet
Level 1
Level 1

‎09-17-2017 05:17 PM - edited ‎03-08-2019 12:04 PM

new features in version 9.1(5) released March 31, 2014

   Improved one-time password authentication
 
   Administrators who have sufficient authorization privileges may enter privileged EXEC mode by entering their authentication credentials once.
   The auto-enable option was added to the aaa authorization exec command.
   We modified the following command: aaa authorization exec.

I have ASA-5505 (not X) running 9.1(7) as following:

   aaa authentication enable console LOCAL
   aaa authentication serial console LOCAL
   aaa authentication telnet console LOCAL
   aaa authentication ssh console LOCAL
   aaa authentication http console LOCAL
   
   username someone password ... encrypted privilege 15
   username attributes
    ssh authentication publickey ... hashed
 
so I added:


   aaa authorization exec LOCAL auto-enable

does not work either logging from openSSH with password nor with my key
the ASA does not automatically enters priv mode: I should have to type enable every time
and if I log with my key and then type enable the ASA request my password instead of my key

 

PS: this new *lithium* site is totally crap

Labels:
0 Helpful
2 Replies 2

Georg Pauwen
VIP
VIP

‎09-17-2017 11:57 PM

Hello,

according to the command reference, you need at least 9.2(1) to make this command work:

https://www.cisco.com/c/en/us/td/docs/security/asa/asa-command-reference/A-H/cmdref1/a1.html

0 Helpful

nlariguet
Level 1
Level 1
In response to Georg Pauwen

‎09-18-2017 11:58 AM

thanks for your reply Georg

 

Yes, I was aware that the command reference states 9.2(1) as the release in which the auto-enable option was added but it is not correct since I am running 9.1(7) and I already have this option present. There's an entry on the release notes for 9.1(5) also stating that this option was added, more specifically on page 6. It isn't the first time I encountered these kind of inconsistencies throughout the documenation. I hardly believe this option was intentionally added to 9.1(5) (and mentioned in the release notes) without actually doing nothing at all — but this is just my opinion on the matter. There are some weird things going on with new features; eg: ssh cipher encryption and ssh cipher integrity commands are available on 9.1 but not on 9.2 (the final release for the ASA-5505) which is the only reason I am still running 9.1(7) and not 9.2(4) which comes with the updated openSSL 1.0.1e

 

PS: I mistakingly posted this on the "LAN Switching & Routing" forum ... can someone move it to the "Firewalling" forum ?

0 Helpful
Customers Also Viewed These Support Documents