User exec shell Authorization on ASA using IAS radius

Answered Question
Aug 5th, 2009

Using ASA 5540- 8.0(4)& trying to get the EXEC Shell (15)authorization for authenticated user fron IAS radius server. Have used the aaa authorization command on the ASA & have specified the attributes on the IAS radius as shown in the config guide but still the user is dropped into default exec level. I need to use the enable command to get the user to privilage exec level,

Correct Answer by Jatin Katyal about 7 years 6 months ago

Hi All,


Though the "Exec authorization command" has been introduced in ASA code 7.1 but the ASA does not support AAA Exec Authorization functionality yet, so it cannot be configured with TACACS or RADIUS.


The enhancement request has already been filed on this.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Collin Clark Wed, 08/05/2009 - 05:14

You can't go directly to enable mode, you must enter a second password. The ASA is a security appliance and it requires 'two-factor' authentication.

Jagdeep Gambhir Wed, 08/05/2009 - 06:00

Yes, firewall does not support exec authorization so there is no way you can directly fall in enable mode. Be it radius or tacacs.


Regards,

~JG

pn8-12345 Mon, 08/17/2009 - 06:28

jagdeep,


Hi, I am using microsoft radius server to authenticate the users. I would like to get the exec shell level 15 authorization from the radius as well.


As per the config giude i need to add the aaa authorization command ont ASA. I then need to configur the radius attributes as shown in the config guide. This ii have done but it still dose not work. The config guide says i can the the exec shell 15 authorization from the radius. Is it possible for you to confirm this or this not possible & my interpritation of the config guide is not correct.



I am going to some investigation on the box this week end. So any help would be appriciated

pn8-12345 Mon, 08/17/2009 - 06:22

Collin,

Hi, I am using Windows Radius server to do the authentication. I would like to get the exec authorization from the Radius as well. I have added the aaa authorization command on to the ASA.

The config guides says this should work if the attributes are appropriate on the Radius. I have configured them on the radius according to the cisco config guide but it is still not working.


Are you saying this dose not work in the 8.0 code ??

Correct Answer
Jatin Katyal Tue, 08/18/2009 - 15:38

Hi All,


Though the "Exec authorization command" has been introduced in ASA code 7.1 but the ASA does not support AAA Exec Authorization functionality yet, so it cannot be configured with TACACS or RADIUS.


The enhancement request has already been filed on this.

Actions

This Discussion