Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

Bronze

ASA w/ TACACS - You do NOT have enable Admin Rights to the console

I'm rolling out TACACS+ authentication to a data center and hit a really odd issue I've never seen before.   After applying this configuration to the ASA:

aaa-server CISCOACS protocol tacacs+

aaa-server CISCOACS (inside) host 1.2.3.4

timeout

key ********

aaa authentication ssh console CISCOACS LOCAL

aaa authentication enable console CISCOACS LOCAL

aaa authentication telnet console CISCOACS LOCAL

aaa authentication http console CISCOACS LOCAL

aaa authentication serial console CISCOACS LOCAL

aaa authorization command CISCOACS LOCAL

I get this behavior:

$ ssh myfirewall

john.smith@myfirewall's password:

Type help or '?' for a list of available commands.

myfirewall/pri/act> en

Password: ********

[ john.smith ] You do NOT have enable Admin Rights to the console

The TACACS+ server is Cisco Secure ACS 5.4p4.  The ASA is a 5510, software version 8.2(5)

I have an ASA5510 in a different data center, same config, same software, working fine.   Any ideas or thoughts?

3 REPLIES
Cisco Employee

ASA w/ TACACS - You do NOT have enable Admin Rights to the conso

How exactly shell (exec) looks like for an authorization rule that is being used for ASA?

Can you post a screen shot?

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
Bronze

Re: ASA w/ TACACS - You do NOT have enable Admin Rights to the c

Ahh...well I found part of my problem.  There was this line in the config:

aaa authorization exec authentication-server

Removing it solved the problem.  But re: the relevant shell profile, it's configured like this in ACS:

Privilege Level:

Default Privilege: Static / Level 1

Maximum Privilege: Static / Level 15

If I set the default privilege to "Not in Use", that also will fix it.

Cisco Employee

Re: ASA w/ TACACS - You do NOT have enable Admin Rights to the c

that's what I was thinking that how come you're not using this command in your ASA config "aaa authorization exec authentication-server" and still getting an error "You do NOT have enable Admin Rights to the console"

~BR
Jatin Katyal

**Do rate helpful posts**

~BR Jatin Katyal **Do rate helpful posts**
1775
Views
4
Helpful
3
Replies
CreatePlease login to create content