Privilege level - ASDM

Unanswered Question
Jul 25th, 2007


I have defined on the RADIUS server a profile with privilege level 0 with the

"shell:priv-lvl=0" command on the server. The problem is that when

the user logs into the firewall it is always given privilege level 1 (if SSH)

or 15 (if ASDM).

The AAA configuration on the firewall is the following:

aaa-server RADIUS protocol radius

aaa-server RADIUS (outside) host x.x.x.x

retry-interval 1

key *

authentication-port 8812

accounting-port 8813

aaa authentication http console RADIUS LOCAL

aaa authentication ssh console RADIUS LOCAL

aaa authentication enable console RADIUS LOCAL

Can you tell me what I need to do to authenticate using RADIUS, but assigning

the correct privilege levels?

I have been refered to bug ID CSCsh17346, but although i've updated the image to it still does not work.

Thanks in advance.

(in attachment is the output of the radius debug).

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4 (1 ratings)
pjhenriqs Fri, 07/27/2007 - 03:34


Thanks for the reply.

I've updated the ASA to version 8 (because I was told to do so by the TAC). Unfortunately I don't think version 8 solves the problem either.

I am waiting for TAC to recreate the problem...



Premdeep Banga Fri, 07/27/2007 - 15:52

Hi Paulo,

What I think is, you are looking for something like this,

Limiting User CLI and ASDM Access with Management Authorization:

Go through what setting with what protocol, will give you what level of access. This might help.

And what you originally looking for is, might be related to this,

Configuring Command Authorization

Go through complete heading, but to be specific interesting part is "Configuring Local Command Authorization"

Above links worth a read.

This might help.



pjhenriqs Mon, 07/30/2007 - 04:45

Hi Prem,

The document you are talking about is the correct one where I should be able to do what I want. Unfortunately, things are never simple.

From reading the link you gave me, I came across this reference on the Local Command Authorization:

RADIUS users?Configure the user with Cisco VSA CVPN3000-Privilege-Level with a value between 0 and 15.

Does this mean I can only do the privilege level association if I'm using ACS? I am using FreeRadius...

As for the rating of posts, I'm new to the forum so I don't know how that works? Should I be rating your helpful posts, or only if it comes to a solution?

Thanks for the help.


Paulo Henriques

Premdeep Banga Mon, 07/30/2007 - 05:07

Hi Paulo,

You can rate any post, that you think that helped you in looking/driving for a resolution or something that helped you learn new, i.e. anything that helped you learn.

As far as your original issue goes, you can configure VSA attribute in FreeRadius server, but where you can configure that, you have to find that on FreeRadius server.

What I can help you with is,

The vendor ID for CVPN3000 Implementation is 3076.

And as a matter of fact, I as not able to find Cisco VSA CVPN3000-Privilege-Level in ACS either :)

There's some confusion going on. May be you can share the document that you have with the case that you are working on.



pjhenriqs Mon, 07/30/2007 - 05:53

Hi Prem,

The document I was referring to was the one you gave me the link to.

My case is as i've specified. I work for a company that manages a lot of PIX and ASAs. We have a RADIUS server which we use for authentication, but now we need it to assign the correct privilege levels, to differentiate the users that can access the firewalls. We are using FreeRadius as the RADIUS server.

I've opened up a TAC case and they haven't been able to help me either. I'm waiting for them to replicate the problem.

I'm not sure what else I can share :).



Premdeep Banga Mon, 07/30/2007 - 05:57

Hi Paulo,

I know that you referred the document that I provided to you. And I understand that you need to specify on radius server what level of privilege should a user have when connecting to PIX/ASA in order to manage then.

What confuses me in the document that I have provided is, the AV pair which the document points is not even present in Cisco ACS :)



at Thu, 11/15/2007 - 06:23


could you solve the problem because we have the same ?




This Discussion