05-01-2007 09:11 AM - edited 03-10-2019 03:07 PM
Hi all, i was trying to authorize the asa with acs 3.2 on priv lvl 7 using tacacs+,but the users were geting priv-lvl 15 only..
aaa-server aaa_serv protocol tacacs+
aaa-server aaa_serv host 10.0.0.10
key cisco123
aaa authentication serial console tac_serv
aaa authentication telnet console tac_serv
aaa authentication enable console tac_serv
aaa authorization command tac_serv
i had brought some commands also in priv 7 using privilege commandm but the problem is that when i try to login i am geting priv-lvl 15 only not 7.i had set in acs also in tacacs+ seting to assign priv lvl=7 only to the users .. but dnt knw why it is nt wrking ..
05-01-2007 02:12 PM
ASA does not have any authorization exec command so Priv Level does not work with ASA.
Max privilege(enable attrib. in ACS)works with ASA.
But if you implementing command authorization with ASA no need to configure max priv levels, let them all fall on priv level 15 and control access through command authorization.
2 main commands required for command authorization are
aaa authentication enable console tac_serv (this is because we do not have authorization exec in ASA so enable authentication is required for command auth to work)
aaa authorization command tac_serv
05-01-2007 06:56 PM
I agree with you but then what is the use of priviliege commands.. what will i do by bringing commands at some x priv level ..
05-02-2007 05:12 AM
Hi ,
This link from TAC case collection will provide you info on ASA exec author,
http://www.ciscotaccc.com/security/showcase?case=K25224726
Thanks,
05-02-2007 05:15 AM
thankx a lot
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: