Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
New Member

PIX Authorization issue

Using AAA on a PIX, authentication works fine and the AAA user has full rights over PIX, but aaa authorization always fails when going into conf t

1 ACCEPTED SOLUTION

Accepted Solutions
Cisco Employee

Re: PIX Authorization issue

Hi,

This happens when we have command authorization enabled on ASA

and try to run any level 15 command on ASA.

Please check the ASA configuration and see if you are missing this command:

aaa authentication enable console LOCAL

on the ACS make sure that enable level privilege is level 15

HTH

JK

Plz rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
15 REPLIES
Cisco Employee

Re: PIX Authorization issue

Hi,

If this is a ACS user, you need to add this on ACS

Under shared profile component > shell command authorization set > type

"configure" under unmatched commands: and type permit terminal under the permit unmatched args and make sure this has been applied on the user or group and then try again.

HTH

JK

Plz rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: PIX Authorization issue

Access is still denied. The restricted group works.. (unable to get into enable mode), but the full access group can get into enable mode but not conf t

Cisco Employee

Re: PIX Authorization issue

Hi,

For the full group you just need to do this:

Under shared profile component > shell command authorization set > select the radio button permit.

If that doesn't works please send the screen shots of full access command set.

HTH

JK

Plz rate hopeful posts.

~BR Jatin Katyal **Do rate helpful posts**

Re: PIX Authorization issue

Issues seems to be with command authorization. It would have been better if running config is included in the original post.

What message do you see on acs failed attempt?

Any ways , please apply command set (that allows all command) on user level instead of group level.

or

Check the failed attempts and see which group you are a part of, then apply command set to that group.

Good luck!

Regards,

~JG

Do rate helpful posts

New Member

Re: PIX Authorization issue

Access is still denied. The restricted group works.. (unable to get into enable mode), but the full access group can get into enable mode but not conf t

New Member

Re: PIX Authorization issue

Where in ACS can I see failed authorization messages?

Re: PIX Authorization issue

Reports and activities -->failed attempts

New Member

Re: PIX Authorization issue

Where in ACS can I see failed authorization messages?

New Member

Re: PIX Authorization issue

In the log my username shows up as "enable_15" ?? and says user unknown?

Cisco Employee

Re: PIX Authorization issue

Hi,

This happens when we have command authorization enabled on ASA

and try to run any level 15 command on ASA.

Please check the ASA configuration and see if you are missing this command:

aaa authentication enable console LOCAL

on the ACS make sure that enable level privilege is level 15

HTH

JK

Plz rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: PIX Authorization issue

What will this command do?, Does it make me use my own individual enable password?

Re: PIX Authorization issue

This command is needed to make command authorization work.

Yes, you can set your own enable password.

Regards,

~JG

Re: PIX Authorization issue

Same issue was reported sometime back aswell.

Make sure you have enable authentication ,

aaa authentication ssh console TACACS LOCAL

aaa authentication telnet console TACACS LOCAL

aaa authentication enable console TACACS LOCAL

aaa authorization command TACACS LOCAL

Incase it does not work pls get aaa config

Regards,

~JG

Do rate helpful posts

Cisco Employee

Re: PIX Authorization issue

yes, if you have separate enable password configured on the ACS, it will let you use that. But i would also suggest you to keep your current session open and try from a duplicate session...just a back door entry.

HTH

JK

Plz rate helpful posts-

~BR Jatin Katyal **Do rate helpful posts**
New Member

Re: PIX Authorization issue

i had the same problem, i could login to the ASA using ACS and i went to enable mode using the local enable password, however, i somehow was no longer authenticated as the username i used, but my username shows enable_15, and i couldn't authorize any command, so i created a new user on the ACS (enable_15) and everything worked smoothly.

i don't think this is the solution, but it's working now.

i don't know why the username switches to enable_15, maybe because i am entering the enable secret which is local on the ASA

377
Views
5
Helpful
15
Replies
CreatePlease to create content