Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1607
Views
4
Helpful
8
Replies

Privilege level - ASDM

pjhenriqs
Level 1
Level 1

‎07-25-2007 12:43 AM - edited ‎03-10-2019 03:17 PM

Hi,

I have defined on the RADIUS server a profile with privilege level 0 with the

"shell:priv-lvl=0" command on the server. The problem is that when

the user logs into the firewall it is always given privilege level 1 (if SSH)

or 15 (if ASDM).

The AAA configuration on the firewall is the following:

aaa-server RADIUS protocol radius

aaa-server RADIUS (outside) host x.x.x.x

retry-interval 1

key *

authentication-port 8812

accounting-port 8813

aaa authentication http console RADIUS LOCAL

aaa authentication ssh console RADIUS LOCAL

aaa authentication enable console RADIUS LOCAL

Can you tell me what I need to do to authenticate using RADIUS, but assigning

the correct privilege levels?

I have been refered to bug ID CSCsh17346, but although i've updated the image to 7.2.2.22 it still does not work.

Thanks in advance.

(in attachment is the output of the radius debug).

Labels:
Preview file
2 KB
0 Helpful
8 Replies 8

Jagdeep Gambhir
Level 10
Level 10

‎07-26-2007 03:55 PM

Hi,

This bug is not resolved as of now, but it should be fixed soon.

Thanks,

~JG

0 Helpful

pjhenriqs
Level 1
Level 1
In response to Jagdeep Gambhir

‎07-27-2007 03:34 AM

Hi,

Thanks for the reply.

I've updated the ASA to version 8 (because I was told to do so by the TAC). Unfortunately I don't think version 8 solves the problem either.

I am waiting for TAC to recreate the problem...

Regards,

Paulo

0 Helpful

Premdeep Banga
Level 7
Level 7

‎07-27-2007 03:52 PM

Hi Paulo,

What I think is, you are looking for something like this,

Limiting User CLI and ASDM Access with Management Authorization:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_80/conf_gd/sysadmin/mgaccess.htm#wp1070306

Go through what setting with what protocol, will give you what level of access. This might help.

And what you originally looking for is, might be related to this,

Configuring Command Authorization

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_80/conf_gd/sysadmin/mgaccess.htm#wp1042034

Go through complete heading, but to be specific interesting part is "Configuring Local Command Authorization"

Above links worth a read.

This might help.

Regards,

Prem

pjhenriqs
Level 1
Level 1
In response to Premdeep Banga

‎07-30-2007 04:45 AM

Hi Prem,

The document you are talking about is the correct one where I should be able to do what I want. Unfortunately, things are never simple.

From reading the link you gave me, I came across this reference on the Local Command Authorization:

RADIUS users?Configure the user with Cisco VSA CVPN3000-Privilege-Level with a value between 0 and 15.

Does this mean I can only do the privilege level association if I'm using ACS? I am using FreeRadius...

As for the rating of posts, I'm new to the forum so I don't know how that works? Should I be rating your helpful posts, or only if it comes to a solution?

Thanks for the help.

Regards,

Paulo Henriques

0 Helpful

Premdeep Banga
Level 7
Level 7
In response to pjhenriqs

‎07-30-2007 05:07 AM

Hi Paulo,

You can rate any post, that you think that helped you in looking/driving for a resolution or something that helped you learn new, i.e. anything that helped you learn.

As far as your original issue goes, you can configure VSA attribute in FreeRadius server, but where you can configure that, you have to find that on FreeRadius server.

What I can help you with is,

The vendor ID for CVPN3000 Implementation is 3076.

And as a matter of fact, I as not able to find Cisco VSA CVPN3000-Privilege-Level in ACS either :)

There's some confusion going on. May be you can share the document that you have with the case that you are working on.

Regards,

Prem

0 Helpful

pjhenriqs
Level 1
Level 1
In response to Premdeep Banga

‎07-30-2007 05:53 AM

Hi Prem,

The document I was referring to was the one you gave me the link to.

My case is as i've specified. I work for a company that manages a lot of PIX and ASAs. We have a RADIUS server which we use for authentication, but now we need it to assign the correct privilege levels, to differentiate the users that can access the firewalls. We are using FreeRadius as the RADIUS server.

I've opened up a TAC case and they haven't been able to help me either. I'm waiting for them to replicate the problem.

I'm not sure what else I can share :).

Thanks.

Paulo

0 Helpful

Premdeep Banga
Level 7
Level 7
In response to pjhenriqs

‎07-30-2007 05:57 AM

Hi Paulo,

I know that you referred the document that I provided to you. And I understand that you need to specify on radius server what level of privilege should a user have when connecting to PIX/ASA in order to manage then.

What confuses me in the document that I have provided is, the AV pair which the document points is not even present in Cisco ACS :)

Regards,

Prem

0 Helpful

at
Level 1
Level 1
In response to pjhenriqs

‎11-15-2007 06:23 AM

hi,

could you solve the problem because we have the same ?

regards

alex

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents