Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1126
Views
0
Helpful
7
Replies

ASA - deny login when privilege level not available?

Go to solution
Otaso
Level 1
Level 1

‎11-21-2023 05:37 AM

Hello,

we are using a freeradius server for authenticating at our ASAs. Now we introduced a user who should be limited in his abilites; so we defined a privilege level (14) for this user to limit this account to certain commands.

This now works for an ASA device which has a configuration for the privilege level 14.

But when this user logins to a different ASA which does not have a config for this privilege level, the user gets priv-lvl 14 after the "enable", but seems to have no limitations. This was kind of a surprise to me. I would have expected that the user's "enable" attempt would fail because the privilege he should get is not explicitely configured.

Maybe I am missing a configuration option? 
As the radius answer already includes the desired privilege level, I am searching now for a configuration option like these:

- Deny user's login when the requested priv-lvl is not configured
-  Or at least: Deny User's "enable" attempt when the priv-lvl is not configured

Any ideas?

Example below; conf t is not allowed within privilege level 14.

Thanks.

### Connection to ASA with config for priv-lvl 14

# ssh -l username asa001
username@asa001's password:
User username logged in to asa001-admin
asa001/admin/act> sh curpriv
Username : username
Current privilege level : 1
Current Mode/s : P_UNPR
asa001/admin/act> ena
Password: *
asa001/admin/act# show curpriv
Username : username
Current privilege level : 14
Current Mode/s : P_PRIV
asa001/admin/act# conf t
^
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed
asa001/admin/act# exit


### Connection to ASA without config for priv-lvl 14

# ssh -l username asa002
username@asa002's password:
User username logged in to asa002
asa002> show curpriv
Username : username
Current privilege level : 1
Current Mode/s : P_UNPR
asa002> ena
Password: *
asa002# show curpriv
Username : username
Current privilege level : 14
Current Mode/s : P_PRIV
asa002# conf t
asa002(config)# exit
asa002# exit

 

0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
MHM Cisco World
VIP
VIP
In response to Otaso

‎11-21-2023 07:53 AM

aaa authorization command LOCAL

Are you use any command privilege with command allow in ASA?

Note:-the local user/password without privilege keyword put user to level 2.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
MHM Cisco World
VIP
VIP

‎11-21-2023 05:42 AM

Can i see config of asa 

Aaa and telnet and ssh lines 

0 Helpful

Go to solution
Otaso
Level 1
Level 1

‎11-21-2023 06:04 AM - edited ‎11-21-2023 07:29 AM

Configuration lines of ASA with privilege level 14 configured:

# show running-config | include aaa
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server RADIUS (mgt) host a.b.c.d
aaa authentication http console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL
aaa authentication enable console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa authorization command LOCAL
aaa authentication login-history

# show running-config | include telnet
aaa authentication telnet console RADIUS LOCAL
telnet timeout 5

# show running-config | include ssh
aaa authentication ssh console RADIUS LOCAL
no ssh stricthostkeycheck
ssh timeout 60
ssh version 2
ssh cipher integrity medium
ssh key-exchange group dh-group1-sha1
ssh a.b.c.d n.n.n.n mgt    ### multiple times for a list of several IPs and networks to be allowed

 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Otaso

‎11-21-2023 07:10 AM - edited ‎11-21-2023 07:40 AM

MHM

0 Helpful

Go to solution
Otaso
Level 1
Level 1

‎11-21-2023 07:33 AM

Sorry, the shown config was from the ASA with privilege level 14 configured. I updated the previous post with a hint to that.
Just in case we had a misunderstanding here.

This is the config of the ASA without privilege level 14 configured:

# show run | incl aaa
aaa-server RADIUS protocol radius
aaa-server RADIUS (management) host a.b.c.d
aaa authentication http console RADIUS LOCAL
aaa authentication telnet console RADIUS LOCAL
aaa authentication enable console RADIUS LOCAL
aaa authentication ssh console RADIUS LOCAL
aaa authentication login-history

# show run | incl telnet
aaa authentication telnet console RADIUS LOCAL
telnet timeout 5

# show run | incl ssh
aaa authentication ssh console RADIUS LOCAL
ssh scopy enable
ssh stricthostkeycheck
ssh a.b.c.d n.n.n.n management ### multiple lines for management access
ssh timeout 60
ssh version 2
ssh key-exchange group dh-group14-sha1

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Otaso

‎11-21-2023 07:53 AM

aaa authorization command LOCAL

Are you use any command privilege with command allow in ASA?

Note:-the local user/password without privilege keyword put user to level 2.

0 Helpful

Go to solution
Otaso
Level 1
Level 1
In response to MHM Cisco World

‎11-22-2023 08:01 AM

I added 
aaa authorization command LOCAL
to the ASA's config without privilege level 14 and now I get an acceptable behavior:

asa002> ena
Password: ****************
asa002# show curp
asa002# show curpriv
Username : username
Current privilege level : 14
Current Mode/s : P_PRIV
asa002# conf t
^
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed
asa002# show run
^
ERROR: % Invalid input detected at '^' marker.
ERROR: Command authorization failed

Thank you very much. 

0 Helpful

Go to solution
MHM Cisco World
VIP
VIP
In response to Otaso

‎11-22-2023 08:04 AM

You are welcome 

MHM

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card