Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

AAA Authorization on PIX

I have a PIX running 6.3(5) and ACS 3.3 and I'm trying to configure AAA Authorization on the PIX. I followed the docs on Cisco, however I can't get anything to work. AAA authentication is already working so I know that end is OK. What I want ot do is allow a certain ACS group to be able to login to the firewall (level 1 only) and have the ability to do a show run. Do I need to change the privilege of show run to level 1?

Here are the docs I've been following:

http://cisco.com/en/US/partner/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#asso1

http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_note09186a00800949d6.shtml

3 REPLIES

Re: AAA Authorization on PIX

Trick here is to give all user priv 15 and then set command authorization set as per your need. Giving user priv 15 does not mean that user will able to execute all commands.

Doc you are referring is right. Pls check the attachment

Regards,

~JG

Re: AAA Authorization on PIX

JG-

Thanks for the screenshots! I set the users to level 15 but I get the same results. I have a ShowRun group that allows the following; show permit run, exit, and quit, and Denying not matching. I have a second group FullControl that permits any unmatched. Assigned level 15 to both groups and set each group to the appropriate shell command group. The weird thing is with my test login (in the ShowRun group) I can do show ?, but thats it. If I login with my ID (FullControl) I can only do the exact same thing, show ?. I must be missing something (easy I'm sure).

Re: AAA Authorization on PIX

Are you using external database ? Make sure that the user is mapped to correct group. YOu can check it from passed or failed attempts. Check

It should map user(limited access)with showrun group.

Regards,

~JG

326
Views
0
Helpful
3
Replies