05-26-2013 08:43 PM - edited 03-11-2019 06:49 PM
Hi all,
Below is the problem statement:
For device admin purpose, when enable AAA access/Authorization in ASDM, it not allow user to configure the ASA via CLI.
when trying to configure, It will promopt message of "command authorization failed"
For the topology setup:
01.ASA code running in version 8.4.2
02. Cisco ACS running in version 5.3.0.40
For device admin purpose, using Cisco ACS 5.3 as the backend AAA server, running on protocol TACACS+
There's no issue on AAA setting of authenticaiton and authorization part. Shell profile's privilege level and command set's command were running well in Cisco ios router/switch device.
For ASA ASDM access, it able to support users' Shell profile's privilege level assigned at Cisco ACS server.
Specific user privilege on ASA were using "configure command privleges", it's using default setting, apply to all. View-only on privilege 3, admin level on 15.
Problem only after enable ASDM AAA access/ authorization, it not allow to configure the ASA via CLI
attach the snipet of ASA firewall config and the debug log,
Hope you guys able to pin point my mistake.
Million Thanks
Noel
Solved! Go to Solution.
05-28-2013 05:31 AM
set the maximum privilege to 15 in policy elements. Even after doing that, you will still be able to access only show commands. This is a required settings for enable authentication.
Jatin Katyal
- Do rate helpful posts -
05-26-2013 11:48 PM
Hello Yong,
Is there a way you can share a snapshot of the error u are getting on the ACS (The log on the TACACS+ authorization AAA monitoring area)
That would lead us to a solution as right now seems to be a missconfiguration with the command set configured as result for that specific user,
Regards
05-27-2013 12:51 AM
05-27-2013 05:33 AM
Hi Yong,
Since you are doing command authorization against ACS/TACACS and then local.
aaa authorization command ACS LOCAL
so If we are configuring command authorization on ASA, we have to make sure that we have enable authenticaiton configured from the same tacacs server. otherwise we would see failed logs for "enable_15".
Please add the below listed command on the ASA and make sure we define and use the enable password from ACS.
aaa authentication enable console ACS LOCAL
Let me know how it goes.
Jatin Katyal
- Do rate helpful posts -
05-27-2013 09:58 AM
Hello Yong,
Agree with Jatin,
The thing with the ASA is that when performing authorization it will do a preservation of the username, in this case it will preserve the username in privilege mode ( as you are not authenticating the enable password it will use the default privilige_15 username )
Authenticate the enable password against the ACS and you should be good to go,
Let us know the result,
Regards
05-28-2013 12:42 AM
hi both
thanks for the idea and it do work on this case.
but i hit another problem !
My test case only telling username: admin with privilege level 15; whilst i have another user with lower privilege, username:ops with privilege level 3, role is monitoring, and read-only on configuration (CLI)
In CLI, it can pass thru the authentication process, but not able to let username:ops get into exec mode. It stuck in enable password.
Even i create the enable password with privilege level 3, but it also not let go.
Anything i can tune?
Thanks again
05-28-2013 12:50 AM
Since TACACS is your primary authentication method so it doesn't matter what role you have on the local database. I would like to see what enable privileges you have assisgned user:ops on the ACS. Can you get the screen shot from the policy elements.
Also, take a look at the tacacs authentication section in the logging and monitoring section to see what error you are getting.As far as I guess, it should be related to enable privileges.
Jatin Katyal
- Do rate helpful posts -
05-28-2013 02:03 AM
05-28-2013 05:31 AM
set the maximum privilege to 15 in policy elements. Even after doing that, you will still be able to access only show commands. This is a required settings for enable authentication.
Jatin Katyal
- Do rate helpful posts -
05-28-2013 10:04 PM
Hi Jatin
It work as expected, thanks for these days support
Noel
11-25-2015 06:53 PM
I got the same issue with admin context, when I hit a command, an error message : command authorization failed.
An account : enable_15 who is authneticated not my normal account.
The solution was to create a new account in ACS with enable_15 as credential.
10-09-2017 11:07 AM - edited 10-09-2017 11:11 AM
.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: