Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

The AAA Exec Authorization with RADIUS or TACACS fails to work on the ASA

Core issue

The Authentication, Authorization, and Accounting (AAA) clients fail to directly log into enable mode after authentication on an ASA.


This issue occurs because the ASA does not understand the cisco-avpair = "shell:priv-lvl=15" attribute.

The ASA supports AAA Exec Authorization functionality starting from ASA version 8.0(2).The command aaa authorization exec authentication-server can be used to configure this feature.

ASA versions earlier to 8.0(2) does not support this functionality and so it cannot be configured with TACACS or RADIUS. The workaround is to manually switch from the user mode to the enable mode.

Version history
Revision #:
1 of 1
Last update:
‎06-22-2009 04:02 PM
Updated by:
Labels (1)
Cisco Employee


The exec authorization implementation is a bit different in the ASA than in the Router/Switches. In the routers and switches, with the exec authorization we can configure a user to fall into the exec mode directly by assigning a privilege level from the authentication server itself. For radius this can be done by using cisco-avpair = "shell:priv-lvl=" the level you want to assign.

However ASA still doesn't understand the "shell:priv-lvl" attribute. So if you configure Shell authorization on the ASA, you can limit the CLI access by pushing certain attributes.

If you push the radius attribute "Service-type =Administrative" you would have full access on the CLI and the ASDM.If you push the "Service-type=NAS-Prompt" you would have access to the ASDM but no access to the CLI.

But for this we should have configured the "enable authentication".

For Tacacs protocol, if you have the option for "Shell" checked only then user would be able to authenticate.



Cisco Employee


Sorry but I am not sure if I understand this correctly, so using the aaa authorization exec authentication-server command on the ASA running 8.0(2) or later release, the ASA will still not understand the cisco-avpair = "shell:priv-lvl=15" attribute?

Or did I mis-understood it?