ASA 7.2 enable auth via tac_plus

jbeltrame · ‎01-23-2007

Has anyone been able to get an asa running 7.2 have a user enable correctly? Here is my config:

aaa-server TAC protocol tacacs+

aaa-server TAC (outside) host XX.XX.XX.XX

key XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX

aaa authentication ssh console TAC LOCAL

aaa authentication serial console TAC LOCAL

aaa authentication enable console TAC LOCAL

aaa authorization command TAC LOCAL

group = pixadmin {

default service = permit

acl = pixes

service = exec {

priv-lvl = 15

}

user = username {

login = des XXXXXXXXXXXX

member = pixadmin

}

Can log in, but can't enable using password. Doesn't look as if the priv. level is coming across correctly.

gfullage · ‎01-23-2007

The ASA/PIX doesn't do "exec" authorization like a router does, to put you straight into privilege level 15, if that's what you're asking. The privilege level is only used with command authorization, where you can put certain commands into certain privilege levels, and the user can then only run those commands.

jbeltrame · ‎01-23-2007

Basically, what I am trying to accomplish is have a tacacs user be able to go into enable mode with their same password. I can get user logged in, but the only way I can get that user into enable mode is using the local enable passord. If i run aaa authenication enable console TACSERVER LOCAL, i can't enable with any user. Don't know if this is able to be done without using Cisco ACS.