I'm seeing posts that hit all around my questions, and based on my intereptation of the documentation it appears that there is no "shell exec" authorization available to the PIX when configured to use a TACACS+ server for authentication. Is this true? The problem I have is that whenever I create a new username in SecureACS that user (w/default settings) is immediately able to login and get a shell prompt on our PIX and ASA devices. I see no means (other than a NAR) that will restrict the user from getting a shell. Am I missing something?
I know I can do command authorization, but exec authorization seems to be a glaringly missing feature.
For example, how do I allow a user to be authenticated for a WebVPN session (via TACACS), but not be allowed to login via SSH for administration?
Yes, you are correct, currently there is no shell exec on pix/asa, that we have on all routers and switches. In case you are using TACACS+ for WebVPN, and dont want to allow them to login via SSH for administration, probably you can try the same login that is used in Access Points,
Actually what happens in, if you have ever came across mac authentication on AP's. On local database of AP, user accounts are created using the mac address as username/password. But interesting thing is, they have *autocommand* in the end i.e.
username xxxx password xxxx
username xxxx autocommand exit
So what actually happens here is, though user is authenticated, but if that user tried to use their MAC address to log into AP [If they think they are cleaver enough], then they will login in and will be kicked out automatically.
Havnt tried this yet, probably we can use same logic with PIX/ASA. Making use of "auto command" under "TACACS+ Settings" for a group/user.
Probably, I'll do a small re-create of it and will let you know, you try at your end.
BenefitsDocumentationPrerequisiteImage Download LinksLimitationsSupported PlatformsLicense RequirementsTopologyStep-By-Step ConfigurationConfigure Virtual ServiceActivate the virtual service and configure guest IPsConfiguring UTD (Service Plane)Configurin...
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...