AAA Authorization on PIX

Unanswered Question
Oct 16th, 2007

I have a PIX running 6.3(5) and ACS 3.3 and I'm trying to configure AAA Authorization on the PIX. I followed the docs on Cisco, however I can't get anything to work. AAA authentication is already working so I know that end is OK. What I want ot do is allow a certain ACS group to be able to login to the firewall (level 1 only) and have the ability to do a show run. Do I need to change the privilege of show run to level 1?

Here are the docs I've been following:

http://cisco.com/en/US/partner/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#asso1

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a00800949d6.shtml

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Collin Clark Tue, 10/16/2007 - 13:29

JG-

Thanks for the screenshots! I set the users to level 15 but I get the same results. I have a ShowRun group that allows the following; show permit run, exit, and quit, and Denying not matching. I have a second group FullControl that permits any unmatched. Assigned level 15 to both groups and set each group to the appropriate shell command group. The weird thing is with my test login (in the ShowRun group) I can do show ?, but thats it. If I login with my ID (FullControl) I can only do the exact same thing, show ?. I must be missing something (easy I'm sure).

Jagdeep Gambhir Tue, 10/16/2007 - 15:31

Are you using external database ? Make sure that the user is mapped to correct group. YOu can check it from passed or failed attempts. Check

It should map user(limited access)with showrun group.

Regards,

~JG

Actions

This Discussion