Cisco Support Community
Community Member

ASA 7.2 enable auth via tac_plus

Has anyone been able to get an asa running 7.2 have a user enable correctly? Here is my config:

aaa-server TAC protocol tacacs+

aaa-server TAC (outside) host XX.XX.XX.XX


aaa authentication ssh console TAC LOCAL

aaa authentication serial console TAC LOCAL

aaa authentication enable console TAC LOCAL

aaa authorization command TAC LOCAL

group = pixadmin {

default service = permit

acl = pixes

service = exec {

priv-lvl = 15



user = username {

login = des XXXXXXXXXXXX

member = pixadmin


Can log in, but can't enable using password. Doesn't look as if the priv. level is coming across correctly.

Cisco Employee

Re: ASA 7.2 enable auth via tac_plus

The ASA/PIX doesn't do "exec" authorization like a router does, to put you straight into privilege level 15, if that's what you're asking. The privilege level is only used with command authorization, where you can put certain commands into certain privilege levels, and the user can then only run those commands.

Community Member

Re: ASA 7.2 enable auth via tac_plus

Basically, what I am trying to accomplish is have a tacacs user be able to go into enable mode with their same password. I can get user logged in, but the only way I can get that user into enable mode is using the local enable passord. If i run aaa authenication enable console TACSERVER LOCAL, i can't enable with any user. Don't know if this is able to be done without using Cisco ACS.

CreatePlease to create content