01-23-2007 09:34 AM
Has anyone been able to get an asa running 7.2 have a user enable correctly? Here is my config:
aaa-server TAC protocol tacacs+
aaa-server TAC (outside) host XX.XX.XX.XX
key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
aaa authentication ssh console TAC LOCAL
aaa authentication serial console TAC LOCAL
aaa authentication enable console TAC LOCAL
aaa authorization command TAC LOCAL
group = pixadmin {
default service = permit
acl = pixes
service = exec {
priv-lvl = 15
}
}
user = username {
login = des XXXXXXXXXXXX
member = pixadmin
}
Can log in, but can't enable using password. Doesn't look as if the priv. level is coming across correctly.
01-23-2007 04:36 PM
The ASA/PIX doesn't do "exec" authorization like a router does, to put you straight into privilege level 15, if that's what you're asking. The privilege level is only used with command authorization, where you can put certain commands into certain privilege levels, and the user can then only run those commands.
01-23-2007 05:29 PM
Basically, what I am trying to accomplish is have a tacacs user be able to go into enable mode with their same password. I can get user logged in, but the only way I can get that user into enable mode is using the local enable passord. If i run aaa authenication enable console TACSERVER LOCAL, i can't enable with any user. Don't know if this is able to be done without using Cisco ACS.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide