×

Warning message

  • Cisco Support Forums is in Read Only mode while the site is being migrated.
  • Cisco Support Forums is in Read Only mode while the site is being migrated.

AAA on a PIX 7.2(1)

Unanswered Question
Aug 21st, 2006
User Badges:

Hi all,


I have the following configuration on my routers:


aaa new-model

!

!

aaa authentication login default local group tacacs+

aaa authentication login console enable

aaa authentication enable default enable

aaa authorization exec default local group tacacs+ if-authenticated

aaa authorization exec console none

aaa authorization commands 15 default local group tacacs+ if-authenticated

aaa accounting delay-start

aaa accounting suppress null-username

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common


This will basically let me login to my routers and by default go to privileged mode once authenticated.


My question is how can I do this with a PIX ASA version 7.2(1)?


I have the following on the firewall:


aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server srv1 protocol tacacs+

aaa-server srv1 (outside) host 10.10.10.10

key XXXXXXX

aaa authentication serial console LOCAL

aaa authentication telnet console srv1 LOCAL

aaa authentication ssh console srv1 LOCAL


However, when I try to login I enter the user and pass but I am left only at the un-privileged mode and then I have to enter the enable mode password.


Regards,

Ahmad


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 3 (1 ratings)
Loading.
spremkumar Mon, 08/21/2006 - 20:46
User Badges:
  • Red, 2250 points or more

hi


can you also try configuring the below command ?


aaa authentication enable console srv1



regds


ahmaddosari Wed, 08/23/2006 - 14:06
User Badges:

I did on a production firewall and unfortunately I was effectively locked out from the system :)


Did not seem to help, any clue?


Thanks


matt.walls Thu, 08/24/2006 - 04:57
User Badges:

You need to enter on the pix the following to perform command level authorization:

==============================

aaa authorization command LOCAL

(this looks at a TACACS group for command level and if it cannot reach, looks at the LOCAL db).


Then on ACS you need to create a shell command set. (note, do not use the pixshell command set, as that is not implemented on pix).

jmbrady Tue, 11/14/2006 - 09:58
User Badges:

He doesn't want to do Command Level Authorization, he just wants it to place him directly into enable mode when he logs in with his username and password.


Got any idea how to do that?

andy-gerace Fri, 11/17/2006 - 06:37
User Badges:

For Pix, it will only allow you to initially log in with user mode. If you are using Cisco ACS, you can go to the user setup and under TACACS+ enable password, you can select it to use the database that you want your users to authenticate with. For example, if you use Windows AD, then you can select that. Then when the user logs into the Pix with AD username and pw, it will be in user mode, type ena and it will prompt for password, then type your AD password again.


As far as I know, that is the only way to do it with a Pix.

sreenath20022002 Sun, 12/10/2006 - 16:04
User Badges:

Hi,


you need to enter the authorization cmd in ASA firewall,so which once you get authenticated you would be entering into the privillage mode and not the unprivillage mode.


Only when you enter the authorization cmds , then the ASA firewall will decide that the particular user can able to enter into the privillage mode according to the confirguration.



Please let me know if you the configuration of that , let me send you.


premdeep.banga Thu, 12/14/2006 - 23:01
User Badges:

Hi,


Just wanted to give you a pointer that command level on Router/switch and PIX/ASA is totally different. And similarly the concept of privileged and un-privileged mode.


In your case. If you need something like


Device#


On ASA, sorry thats not gonna work, as it was not designed, and is not not designed till date. There's no concept of exec authorization on PIX/ASA, only enable authentication.


What you can do is, depending on your requirement, assign commands to particular enable level/mode on ASA. and using ACS(TACACS+), let a group/user have privilege for that enable mode.


Something that might help you :


http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/sysadmin/mgaccess.htm#wp1042026


Go through above link, and you'll have ample idea about changing commands privilege level.



But be assured, CLI for PIX/ASA dosent work as in case of legacy Router/switches, but Cisco is trying the bridge the gap =P


Regards,

Prem

Actions

This Discussion