08-21-2006 05:44 AM - edited 03-10-2019 02:43 PM
Hi all,
I have the following configuration on my routers:
aaa new-model
!
!
aaa authentication login default local group tacacs+
aaa authentication login console enable
aaa authentication enable default enable
aaa authorization exec default local group tacacs+ if-authenticated
aaa authorization exec console none
aaa authorization commands 15 default local group tacacs+ if-authenticated
aaa accounting delay-start
aaa accounting suppress null-username
aaa accounting exec default start-stop group tacacs+
aaa accounting commands 1 default start-stop group tacacs+
aaa accounting commands 15 default start-stop group tacacs+
aaa accounting system default start-stop group tacacs+
aaa session-id common
This will basically let me login to my routers and by default go to privileged mode once authenticated.
My question is how can I do this with a PIX ASA version 7.2(1)?
I have the following on the firewall:
aaa-server TACACS+ protocol tacacs+
aaa-server RADIUS protocol radius
aaa-server srv1 protocol tacacs+
aaa-server srv1 (outside) host 10.10.10.10
key XXXXXXX
aaa authentication serial console LOCAL
aaa authentication telnet console srv1 LOCAL
aaa authentication ssh console srv1 LOCAL
However, when I try to login I enter the user and pass but I am left only at the un-privileged mode and then I have to enter the enable mode password.
Regards,
Ahmad
08-21-2006 08:46 PM
hi
can you also try configuring the below command ?
aaa authentication enable console srv1
regds
08-23-2006 02:06 PM
I did on a production firewall and unfortunately I was effectively locked out from the system :)
Did not seem to help, any clue?
Thanks
08-24-2006 04:57 AM
You need to enter on the pix the following to perform command level authorization:
==============================
aaa authorization command
(this looks at a TACACS group for command level and if it cannot reach, looks at the LOCAL db).
Then on ACS you need to create a shell command set. (note, do not use the pixshell command set, as that is not implemented on pix).
11-14-2006 09:58 AM
He doesn't want to do Command Level Authorization, he just wants it to place him directly into enable mode when he logs in with his username and password.
Got any idea how to do that?
11-17-2006 06:37 AM
For Pix, it will only allow you to initially log in with user mode. If you are using Cisco ACS, you can go to the user setup and under TACACS+ enable password, you can select it to use the database that you want your users to authenticate with. For example, if you use Windows AD, then you can select that. Then when the user logs into the Pix with AD username and pw, it will be in user mode, type ena and it will prompt for password, then type your AD password again.
As far as I know, that is the only way to do it with a Pix.
12-01-2006 07:30 AM
In addition, the link bellow helps a lot!
http://www.cisco.com/en/US/tech/tk59/tsd_technology_support_troubleshooting_technotes_list.html
There are a lot of cases and instrunctions to configure authentication.
Regards,
Rafael Lanna
12-10-2006 04:04 PM
Hi,
you need to enter the authorization cmd in ASA firewall,so which once you get authenticated you would be entering into the privillage mode and not the unprivillage mode.
Only when you enter the authorization cmds , then the ASA firewall will decide that the particular user can able to enter into the privillage mode according to the confirguration.
Please let me know if you the configuration of that , let me send you.
12-14-2006 11:01 PM
Hi,
Just wanted to give you a pointer that command level on Router/switch and PIX/ASA is totally different. And similarly the concept of privileged and un-privileged mode.
In your case. If you need something like
Device#
On ASA, sorry thats not gonna work, as it was not designed, and is not not designed till date. There's no concept of exec authorization on PIX/ASA, only enable authentication.
What you can do is, depending on your requirement, assign commands to particular enable level/mode on ASA. and using ACS(TACACS+), let a group/user have privilege for that enable mode.
Something that might help you :
Go through above link, and you'll have ample idea about changing commands privilege level.
But be assured, CLI for PIX/ASA dosent work as in case of legacy Router/switches, but Cisco is trying the bridge the gap =P
Regards,
Prem
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: