enable_1 command authorization failed after "disable"
I have AAA configured on an ASA 8.0(3) to a CiscoSecure ACS server as follows:
aaa authentication http console tacacs-group LOCAL
aaa authentication enable console tacacs-group LOCAL
aaa authentication serial console tacacs-group LOCAL
aaa authentication ssh console tacacs-group LOCAL
aaa authorization command tacacs-group LOCAL
aaa accounting enable console tacacs-group
aaa accounting ssh console tacacs-group
aaa accounting serial console tacacs-group
aaa accounting telnet console tacacs-group
aaa accounting command privilege 15 tacacs-group
aaa authorization exec authentication-server
Everything works except when disconnecting - a privileged exec account is able to "exit" or "logout" as expected, but if a privileged exec account first reverts to User Exec mode by issuing the "disable" command, no further commands are authorized.
Command authorization failed
In the Failed Attempts log of the ACS server I see the "Author Failed" message type from the user "enable_1" ...
It seems that when an authenticated/authorized user exits enable mode the ASA "loses" the account name, and any further commands are issued by this "enable_1", which does not exist locally or on the ACS server or any external DB's so authorization is failing. This is annoying, as it disallows the ability to change modes, as after a user "disable"s they can then not "enable" again either...
Is this behavior expected? Any insight appreciated.
P.S. When first connecting to the ASA a user is in User Exec mode. Before issuing the "enable" command, the user is able to "exit", "logout", etc. so I know those commands are authorized for known users.
Re: enable_1 command authorization failed after "disable"
To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode. To disable support for command accounting, use the no form of this command.If you customize the command privilege level using the privilege command, you can limit which commands the security appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
use the command "aaa accounting command privilege 0 tacacs-group" instead of "aaa accounting command privilege 15 tacacs-group " which may solve the issue.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...