Hi I have a pair of PIX 535's running 7.04 with ASDM 5.0(1) I have used the ASDM wizard which has setup three roles 1) ASDM_Admin (priv 15),
2) ASDM_Readonly (priv 5)
3) ASDM_Monitor (priv 3)
The PIX now has these user accounts in the local database and some additional config assigning certain commands to the relevant privilage levels.
I have now configured the ACS 3.3 to be the first authenticator for these accounts but they all end up with privildge 15 or nothing (command authorisation failed) I have setup the accounts and assigned the correct privilidege level under the respective group. And have also tried creating an authorisation set only allowing the appropriate commands for that priv level. But the PIX does not seem to reflect the update. Does anyone know if there is a doc detailing how to setup these roles with ACS or is there an av-pair defined role I can assign or somthing.
If you were to go into ASDM and look at Properties > Device Access > AAA Access > Authorization > Set ASDM Defined User Roles, you'll see a list of commands that have moved down in privilege. Essentially what you would need to do is use TACACS command authorization and create command authorization sets in ACS that would allow a Readonly user to execute all the commands that are of privilege 5 and lower that is listed in the aforementioned ASDM list. And then for a Monitor user, you would only allow them to execute all commands at level 3 and lower.
On the pix itself, you would need to make sure command authorization is turned on and pointing to your ACS server:
aaa authorization command tacacs+_server_group LOCAL
Thanks for replying. I did setup 3 authorisation sets called the particalar roles and did point the PIX at the ACS but It did not seem that the PIX took any notice of the sets as I kept getting "Command Authorisation failed" even when the authorisation set associated with the user allowed all commands.
When I checked the ACS logs I see for example "show version unknown command" entered in the failed log.
Would it be possible to get a glimpse of what the entire failed attempt entry shows? Generally, we probably want to look at the Author-Data field.
Are you seeing this when you try to access the ASDM, or while testing command authorization with the command line? Do you happen to be using the pix command authorization sets? Or are you using the shell command authorization sets?
I am using the "shell auth sets" not the PIX Auth sets. I get the error command auth failed when I try and do anything from the command line after SSH'ing in. and get the unknown command entry in ACS logs.
If I try to ASDM I get an error somthing like "insuffient rights to execute sh version, check command authorisation"
I can't remember whether this creates a failed entry in ACS logs but will check.
Should I be using a Pix command authorisation set?
So, it actually depends on how the type of service the ASA is requesting. I actually don't know this myself, but if you were to look at the Author-Data field in the failed attempts, if you see something like "service=pixshell...", then you would use the Pix Command Authorization sets. If you see "service=shell...", then you would use the Shell Command Authorization sets.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...