asa cmd authorization using acs

diptanshusingh · ‎05-01-2007

Hi all, i was trying to authorize the asa with acs 3.2 on priv lvl 7 using tacacs+,but the users were geting priv-lvl 15 only..

aaa-server aaa_serv protocol tacacs+

aaa-server aaa_serv host 10.0.0.10

key cisco123

aaa authentication serial console tac_serv

aaa authentication telnet console tac_serv

aaa authentication enable console tac_serv

aaa authorization command tac_serv

i had brought some commands also in priv 7 using privilege commandm but the problem is that when i try to login i am geting priv-lvl 15 only not 7.i had set in acs also in tacacs+ seting to assign priv lvl=7 only to the users .. but dnt knw why it is nt wrking ..

rochopra · ‎05-01-2007

ASA does not have any authorization exec command so Priv Level does not work with ASA.

Max privilege(enable attrib. in ACS)works with ASA.

But if you implementing command authorization with ASA no need to configure max priv levels, let them all fall on priv level 15 and control access through command authorization.

2 main commands required for command authorization are

aaa authentication enable console tac_serv (this is because we do not have authorization exec in ASA so enable authentication is required for command auth to work)

aaa authorization command tac_serv

diptanshusingh · ‎05-01-2007

I agree with you but then what is the use of priviliege commands.. what will i do by bringing commands at some x priv level ..

Jagdeep Gambhir · ‎05-02-2007

Hi ,

This link from TAC case collection will provide you info on ASA exec author,

http://www.ciscotaccc.com/security/showcase?case=K25224726

Thanks,

diptanshusingh · ‎05-02-2007

thankx a lot