PIX Authorization issue

Answered Question
Oct 23rd, 2009
User Badges:

Using AAA on a PIX, authentication works fine and the AAA user has full rights over PIX, but aaa authorization always fails when going into conf t

Correct Answer by Jatin Katyal about 7 years 8 months ago

Hi,


This happens when we have command authorization enabled on ASA

and try to run any level 15 command on ASA.


Please check the ASA configuration and see if you are missing this command:


aaa authentication enable console LOCAL


on the ACS make sure that enable level privilege is level 15


HTH


JK


Plz rate helpful posts-

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
Jatin Katyal Fri, 10/23/2009 - 06:03
User Badges:
  • Cisco Employee,

Hi,


If this is a ACS user, you need to add this on ACS


Under shared profile component > shell command authorization set > type


"configure" under unmatched commands: and type permit terminal under the permit unmatched args and make sure this has been applied on the user or group and then try again.


HTH


JK


Plz rate helpful posts-

networker99 Fri, 10/23/2009 - 07:05
User Badges:

Access is still denied. The restricted group works.. (unable to get into enable mode), but the full access group can get into enable mode but not conf t

Jatin Katyal Fri, 10/23/2009 - 07:11
User Badges:
  • Cisco Employee,

Hi,


For the full group you just need to do this:


Under shared profile component > shell command authorization set > select the radio button permit.


If that doesn't works please send the screen shots of full access command set.


HTH


JK


Plz rate hopeful posts.

Jagdeep Gambhir Fri, 10/23/2009 - 07:14
User Badges:
  • Red, 2250 points or more

Issues seems to be with command authorization. It would have been better if running config is included in the original post.


What message do you see on acs failed attempt?


Any ways , please apply command set (that allows all command) on user level instead of group level.


or


Check the failed attempts and see which group you are a part of, then apply command set to that group.


Good luck!


Regards,

~JG


Do rate helpful posts


networker99 Fri, 10/23/2009 - 07:16
User Badges:

Access is still denied. The restricted group works.. (unable to get into enable mode), but the full access group can get into enable mode but not conf t

networker99 Fri, 10/23/2009 - 07:58
User Badges:

In the log my username shows up as "enable_15" ?? and says user unknown?

Correct Answer
Jatin Katyal Fri, 10/23/2009 - 08:03
User Badges:
  • Cisco Employee,

Hi,


This happens when we have command authorization enabled on ASA

and try to run any level 15 command on ASA.


Please check the ASA configuration and see if you are missing this command:


aaa authentication enable console LOCAL


on the ACS make sure that enable level privilege is level 15


HTH


JK


Plz rate helpful posts-

networker99 Fri, 10/23/2009 - 08:07
User Badges:

What will this command do?, Does it make me use my own individual enable password?

Jagdeep Gambhir Fri, 10/23/2009 - 08:10
User Badges:
  • Red, 2250 points or more

This command is needed to make command authorization work.



Yes, you can set your own enable password.



Regards,

~JG

Jagdeep Gambhir Fri, 10/23/2009 - 08:07
User Badges:
  • Red, 2250 points or more

Same issue was reported sometime back aswell.


Make sure you have enable authentication ,


aaa authentication ssh console TACACS LOCAL

aaa authentication telnet console TACACS LOCAL

aaa authentication enable console TACACS LOCAL

aaa authorization command TACACS LOCAL


Incase it does not work pls get aaa config


Regards,

~JG


Do rate helpful posts


Jatin Katyal Fri, 10/23/2009 - 08:38
User Badges:
  • Cisco Employee,

yes, if you have separate enable password configured on the ACS, it will let you use that. But i would also suggest you to keep your current session open and try from a duplicate session...just a back door entry.


HTH


JK


Plz rate helpful posts-

Omar Badawi Wed, 06/08/2011 - 02:33
User Badges:

i had the same problem, i could login to the ASA using ACS and i went to enable mode using the local enable password, however, i somehow was no longer authenticated as the username i used, but my username shows enable_15, and i couldn't authorize any command, so i created a new user on the ACS (enable_15) and everything worked smoothly.

i don't think this is the solution, but it's working now.

i don't know why the username switches to enable_15, maybe because i am entering the enable secret which is local on the ASA

Actions

This Discussion