Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1457
Views
8
Helpful
4
Replies

ASA Local Command Authorization problem?

blackhat2020
Level 1
Level 1

‎10-09-2009 02:16 AM - edited ‎03-10-2019 04:43 PM

Hi,I have configured command authorization in my ASA with tacacs and also i have configured shell command authorization for different users in ACS4.2. when im using ACS for command authorization there is no problem ,but when i disconnect my connection to ACS from ASA, i stock in configuration even i have configured aaa authorization command TACACS LOCAL but when connection to ACS is lost i get very limited access to my asa(LOCAL is configured end of the above command) also i have configured user with Priv 15 so when i log in to my asa with this local user i have limited access even its Priv level is 15,so do i have to configure any thing else to give me full access in level 15 when there is no access to ACS and aaa authorization command <server group> LOCAL is configured?? thanks

Labels:
0 Helpful
4 Replies 4

Jagdeep Gambhir
Level 10
Level 10

‎10-09-2009 05:42 AM

Hi,

Please check this known bug,

CSCsj56051 Bug Details

AAA authorization commands LOCAL fallback broken

Symptom:

aaa authorization fallback to LOCAL fails, blocking some commands to be executed and displaying "Command authorization failed" error message even though local authorization should be granted.

Conditions:

TACACS+ server communication is lost, LOCAL is configured next in the list.

Workaround:

none.

Further Problem Description:

7.2.2 does not show this behavior.

8.0(3) does not show this behavior.

Regards,

~JG

Do rate helpful posts

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Jagdeep Gambhir

‎10-09-2009 06:01 AM

Hi,

Further to JG update; I also came across this defect and i did a lab recreate for LOCAL command authorization on 8.0.3 and confirmed the issue has fixed.

Now with your current config and code 8.0.x you can access or run any command with privilege 15 user. However for read only access with LOCAL authorization you need to update your config with lots of command.

HTH

JK

Plz rate helpful posts-

~Jatin

blackhat2020
Level 1
Level 1
In response to Jatin Katyal

‎10-09-2009 06:20 AM

Thank you guys very much,but what about FWSM 3.2 image?becuse now I'm going to config it on 3.2 os!

0 Helpful

Feidopiastis.n
Level 1
Level 1
In response to Jatin Katyal

‎11-11-2010 12:26 AM

Hello,

   I had the same problem and found out that the problem exists on 8.0.2

I had to downgrade to 7.2.1, remove aaa authorization command and reboot to 8.0.2 again to have normal rights.

Kind regards

0 Helpful
Customers Also Viewed These Support Documents