I have AAA configured on an ASA 8.0(3) to a CiscoSecure ACS server as follows:
aaa authentication http console tacacs-group LOCAL
aaa authentication enable console tacacs-group LOCAL
aaa authentication serial console tacacs-group LOCAL
aaa authentication ssh console tacacs-group LOCAL
aaa authorization command tacacs-group LOCAL
aaa accounting enable console tacacs-group
aaa accounting ssh console tacacs-group
aaa accounting serial console tacacs-group
aaa accounting telnet console tacacs-group
aaa accounting command privilege 15 tacacs-group
aaa authorization exec authentication-server
Everything works except when disconnecting - a privileged exec account is able to "exit" or "logout" as expected, but if a privileged exec account first reverts to User Exec mode by issuing the "disable" command, no further commands are authorized.
Command authorization failed
In the Failed Attempts log of the ACS server I see the "Author Failed" message type from the user "enable_1" ...
It seems that when an authenticated/authorized user exits enable mode the ASA "loses" the account name, and any further commands are issued by this "enable_1", which does not exist locally or on the ACS server or any external DB's so authorization is failing. This is annoying, as it disallows the ability to change modes, as after a user "disable"s they can then not "enable" again either...
Is this behavior expected? Any insight appreciated.
P.S. When first connecting to the ASA a user is in User Exec mode. Before issuing the "enable" command, the user is able to "exit", "logout", etc. so I know those commands are authorized for known users.