Cisco Pix515e or ASA Auto Enable Mode using Cisco ACS AAA

Unanswered Question

I have AAA authenication working on our PIX and Switches with a backend Cisco ACS server. I'm able to login via Cisco Radius in enable mode on the Cat switches. Problem I have is I'm not sure of what is required to go right into enable mode on the Pix's/ASA's so that I don't have to type in the enable password when logging into the PIX. Here is my command I use on the Switches which automatically puts me into enable mode when I login successfully with Cisco ACS Radius LDAP authenication.

aaa new-model


aaa authentication login CiscoACS group radius local


aaa authorization exec CiscoACS group radius local if-authenticated


line vty 0 15

authorization exec CiscoACS

login authentication CiscoACS

Does anyone know what is the command I can use that would allow me to get authorization exec on a PIX or ASA 5505?

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (3 ratings)
Premdeep Banga Tue, 06/12/2007 - 15:25
User Badges:
  • Gold, 750 points or more


PIX/ASA works in a different way then IOS devices does.

what you seek is not possible. We do not have something as EXEC authorization on PIX/ASA, so we cannot go directly into enable/privileged mode.

Reason for this is, Under normal circumstances, the AAA server could reply to the initial authentication/authorization request with "priv-lvl", and the users session would assume this level, without having to enter and additional commands (like ).

But such feature is not available on PIX/ASA.



raviluchmun Mon, 06/15/2015 - 13:28
User Badges:


Actually it is possible - i can't be sure if it is the new version of ASA that allows it.

I am running asa916-k8.bin on 5510

The command is aaa authorization exec LOCAL auto-enable


Ravi L


This Discussion