Hello, I have an ASA 5515 running 9.8(3)21. I'm using a Win2019 NPAS server for RADIUS. The setup is working fine for authentication for VPN, HTTPS, and SSH. My NPAS is configured on the ASA as: aaa-server SB_MGMT_NPAS protocol radius aaa-server SB_MGMT_NPAS (inside) host x.x.x.x key 8 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx no mschapv2-capable These are the AAA commands that make that work: aaa authentication enable console SB_MGMT_NPAS LOCAL aaa authentication http console SB_MGMT_NPAS LOCAL aaa authentication ssh console SB_MGMT_NPAS LOCAL aaa authorization command LOCAL aaa authentication login-history The problem I'm having is that I can't find a "aaa authorization" command syntax that will allow me to control the privilege level of SSH users. I have two levels of users setup in NPAS RADIUS based on group membership. Admin users are set for level 15 and auditors for level 3. Using debug on the ASA I can clearly see that RADIUS is communicating the privilege attribute during the authentication process: Got AV-Pair with value shell:priv-lvl=15 Got AV-Pair with value shell:priv-lvl=3 However, when I apply "aaa authorization exec authentication-server auto-enable" or I enable authorization for exec shell access in ASDM it will not allow be to enable at all. What is the command syntax to make the ASA pay attention to the privilege level attribute? Thank you.
... View more