Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
961
Views
3
Helpful
8
Replies

AAA on a PIX 7.2(1)

ahmaddosari
Level 1
Level 1

‎08-21-2006 05:44 AM - edited ‎03-10-2019 02:43 PM

Hi all,

I have the following configuration on my routers:

aaa new-model

!

!

aaa authentication login default local group tacacs+

aaa authentication login console enable

aaa authentication enable default enable

aaa authorization exec default local group tacacs+ if-authenticated

aaa authorization exec console none

aaa authorization commands 15 default local group tacacs+ if-authenticated

aaa accounting delay-start

aaa accounting suppress null-username

aaa accounting exec default start-stop group tacacs+

aaa accounting commands 1 default start-stop group tacacs+

aaa accounting commands 15 default start-stop group tacacs+

aaa accounting system default start-stop group tacacs+

aaa session-id common

This will basically let me login to my routers and by default go to privileged mode once authenticated.

My question is how can I do this with a PIX ASA version 7.2(1)?

I have the following on the firewall:

aaa-server TACACS+ protocol tacacs+

aaa-server RADIUS protocol radius

aaa-server srv1 protocol tacacs+

aaa-server srv1 (outside) host 10.10.10.10

key XXXXXXX

aaa authentication serial console LOCAL

aaa authentication telnet console srv1 LOCAL

aaa authentication ssh console srv1 LOCAL

However, when I try to login I enter the user and pass but I am left only at the un-privileged mode and then I have to enter the enable mode password.

Regards,

Ahmad

Labels:
0 Helpful
8 Replies 8

spremkumar
Level 9
Level 9

‎08-21-2006 08:46 PM

hi

can you also try configuring the below command ?

aaa authentication enable console srv1

regds

0 Helpful

ahmaddosari
Level 1
Level 1
In response to spremkumar

‎08-23-2006 02:06 PM

I did on a production firewall and unfortunately I was effectively locked out from the system :)

Did not seem to help, any clue?

Thanks

0 Helpful

matt.walls
Level 1
Level 1
In response to ahmaddosari

‎08-24-2006 04:57 AM

You need to enter on the pix the following to perform command level authorization:

==============================

aaa authorization command LOCAL

(this looks at a TACACS group for command level and if it cannot reach, looks at the LOCAL db).

Then on ACS you need to create a shell command set. (note, do not use the pixshell command set, as that is not implemented on pix).

0 Helpful

jmbrady
Level 1
Level 1
In response to matt.walls

‎11-14-2006 09:58 AM

He doesn't want to do Command Level Authorization, he just wants it to place him directly into enable mode when he logs in with his username and password.

Got any idea how to do that?

0 Helpful

andy-gerace
Level 1
Level 1

‎11-17-2006 06:37 AM

For Pix, it will only allow you to initially log in with user mode. If you are using Cisco ACS, you can go to the user setup and under TACACS+ enable password, you can select it to use the database that you want your users to authenticate with. For example, if you use Windows AD, then you can select that. Then when the user logs into the Pix with AD username and pw, it will be in user mode, type ena and it will prompt for password, then type your AD password again.

As far as I know, that is the only way to do it with a Pix.

0 Helpful

rafa_lanna
Level 1
Level 1
In response to andy-gerace

‎12-01-2006 07:30 AM

In addition, the link bellow helps a lot!

http://www.cisco.com/en/US/tech/tk59/tsd_technology_support_troubleshooting_technotes_list.html

There are a lot of cases and instrunctions to configure authentication.

Regards,

Rafael Lanna

sreenath20022002
Level 1
Level 1

‎12-10-2006 04:04 PM

Hi,

you need to enter the authorization cmd in ASA firewall,so which once you get authenticated you would be entering into the privillage mode and not the unprivillage mode.

Only when you enter the authorization cmds , then the ASA firewall will decide that the particular user can able to enter into the privillage mode according to the confirguration.

Please let me know if you the configuration of that , let me send you.

0 Helpful

premdeep.banga
Level 1
Level 1
In response to sreenath20022002

‎12-14-2006 11:01 PM

Hi,

Just wanted to give you a pointer that command level on Router/switch and PIX/ASA is totally different. And similarly the concept of privileged and un-privileged mode.

In your case. If you need something like

Device#

On ASA, sorry thats not gonna work, as it was not designed, and is not not designed till date. There's no concept of exec authorization on PIX/ASA, only enable authentication.

What you can do is, depending on your requirement, assign commands to particular enable level/mode on ASA. and using ACS(TACACS+), let a group/user have privilege for that enable mode.

Something that might help you :

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/sysadmin/mgaccess.htm#wp1042026

Go through above link, and you'll have ample idea about changing commands privilege level.

But be assured, CLI for PIX/ASA dosent work as in case of legacy Router/switches, but Cisco is trying the bridge the gap =P

Regards,

Prem

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents