asa cmd authorization using acs

Unanswered Question
May 1st, 2007
User Badges:

Hi all, i was trying to authorize the asa with acs 3.2 on priv lvl 7 using tacacs+,but the users were geting priv-lvl 15 only..

aaa-server aaa_serv protocol tacacs+

aaa-server aaa_serv host

key cisco123

aaa authentication serial console tac_serv

aaa authentication telnet console tac_serv

aaa authentication enable console tac_serv

aaa authorization command tac_serv

i had brought some commands also in priv 7 using privilege commandm but the problem is that when i try to login i am geting priv-lvl 15 only not 7.i had set in acs also in tacacs+ seting to assign priv lvl=7 only to the users .. but dnt knw why it is nt wrking ..

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
rochopra Tue, 05/01/2007 - 14:12
User Badges:
  • Cisco Employee,

ASA does not have any authorization exec command so Priv Level does not work with ASA.

Max privilege(enable attrib. in ACS)works with ASA.

But if you implementing command authorization with ASA no need to configure max priv levels, let them all fall on priv level 15 and control access through command authorization.

2 main commands required for command authorization are

aaa authentication enable console tac_serv (this is because we do not have authorization exec in ASA so enable authentication is required for command auth to work)

aaa authorization command tac_serv

diptanshusingh Tue, 05/01/2007 - 18:56
User Badges:

I agree with you but then what is the use of priviliege commands.. what will i do by bringing commands at some x priv level ..


This Discussion