AAA Authorization on PIX

Unanswered Question
Oct 16th, 2007
User Badges:
  • Purple, 4500 points or more

I have a PIX running 6.3(5) and ACS 3.3 and I'm trying to configure AAA Authorization on the PIX. I followed the docs on Cisco, however I can't get anything to work. AAA authentication is already working so I know that end is OK. What I want ot do is allow a certain ACS group to be able to login to the firewall (level 1 only) and have the ability to do a show run. Do I need to change the privilege of show run to level 1?


Here are the docs I've been following:

http://cisco.com/en/US/partner/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#asso1

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a00800949d6.shtml

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jagdeep Gambhir Tue, 10/16/2007 - 13:14
User Badges:
  • Red, 2250 points or more

Trick here is to give all user priv 15 and then set command authorization set as per your need. Giving user priv 15 does not mean that user will able to execute all commands.


Doc you are referring is right. Pls check the attachment


Regards,

~JG




Collin Clark Tue, 10/16/2007 - 13:29
User Badges:
  • Purple, 4500 points or more

JG-


Thanks for the screenshots! I set the users to level 15 but I get the same results. I have a ShowRun group that allows the following; show permit run, exit, and quit, and Denying not matching. I have a second group FullControl that permits any unmatched. Assigned level 15 to both groups and set each group to the appropriate shell command group. The weird thing is with my test login (in the ShowRun group) I can do show ?, but thats it. If I login with my ID (FullControl) I can only do the exact same thing, show ?. I must be missing something (easy I'm sure).


Jagdeep Gambhir Tue, 10/16/2007 - 15:31
User Badges:
  • Red, 2250 points or more

Are you using external database ? Make sure that the user is mapped to correct group. YOu can check it from passed or failed attempts. Check


It should map user(limited access)with showrun group.


Regards,

~JG


Actions

This Discussion