Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
Community Member

"authorization exec" on PIX/ASA

I'm seeing posts that hit all around my questions, and based on my intereptation of the documentation it appears that there is no "shell exec" authorization available to the PIX when configured to use a TACACS+ server for authentication. Is this true? The problem I have is that whenever I create a new username in SecureACS that user (w/default settings) is immediately able to login and get a shell prompt on our PIX and ASA devices. I see no means (other than a NAR) that will restrict the user from getting a shell. Am I missing something?

I know I can do command authorization, but exec authorization seems to be a glaringly missing feature.

For example, how do I allow a user to be authenticated for a WebVPN session (via TACACS), but not be allowed to login via SSH for administration?

1 REPLY
Community Member

Re: "authorization exec" on PIX/ASA

Hi,

Yes, you are correct, currently there is no shell exec on pix/asa, that we have on all routers and switches. In case you are using TACACS+ for WebVPN, and dont want to allow them to login via SSH for administration, probably you can try the same login that is used in Access Points,

Actually what happens in, if you have ever came across mac authentication on AP's. On local database of AP, user accounts are created using the mac address as username/password. But interesting thing is, they have *autocommand* in the end i.e.

username xxxx password xxxx

username xxxx autocommand exit

So what actually happens here is, though user is authenticated, but if that user tried to use their MAC address to log into AP [If they think they are cleaver enough], then they will login in and will be kicked out automatically.

Havnt tried this yet, probably we can use same logic with PIX/ASA. Making use of "auto command" under "TACACS+ Settings" for a group/user.

Probably, I'll do a small re-create of it and will let you know, you try at your end.

Regards,

Prem

206
Views
0
Helpful
1
Replies
CreatePlease to create content