Assigning privilege level using Radius

Similar Messages

• Assigning Privilege Level Thru RADIUS

  I'm using Microsoft IAS as my RADIUS server. We have a number of Cisco 2800 routers running the latest IOS which are also acting as VPN servers for our remote user connecting using their laptops via IPSec and Cisco VPN Client. How can I set the privilege level for the authenticated users so that the remote VPN users are given privilege level 0 and the Administrators are given privilege level 15, so they can login to routers and manage them.

  Prem
  Thanks for attaching a very interesting document. worth the 5 rating.
  HTH
  Rick

• How to Assign Privilege Levels with CiscoSecure ACS TACACS+

  how to assign privilege level to a user in secure ACS TACACS+ user exist in external database
  Regards,
  Bilal

  Hi Bilal,
  Bring users/groups in at level 15
      1.  Go to user or group setup in ACS
      2.  Drop down to "TACACS+ Settings"
      3.  Place a check in "Shell (Exec)"
      4.  Place a check in "Privilege level" and enter "15" in the adjacent field
  Regards,
  ~JG
  Do rate helpful posts

• ASDM and privilege level (using TACACS)

  Hi experts,
  Initial question:     How can I force ASDM to ask for the enable password when the user click on Apply ?
  Environment description:
  I have an ASA 5510 connected to an ACS 5.0.
  Security policy:
  I want the user defined on my ACS to be able to gain privilege level 15 but only after using their enable password. But by default the user must be in no privileged mode (<15).
  A SNMP alert is sent when the ASA catches a "User priv level changed" syslog message. (logging customization)
  ACS configuration:
  Maybe I misunderstand the TACACS privilege level parameters on ACS.
  I set a Shell Profile which gives the user the following privilege levels:
  Default Privilege Level = 7
  Maximum Privilege Level = 15
  1st config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication http console grp-tacacs LOCAL
  aaa authentication enable console grp-tacacs LOCAL
  ! no authorization set
  Results:
       On CLI:     perfect
  My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and his enable password
       On ASDM:     policy security failure
  When the user connects through ASDM, he gains privilege level 15 directly
  It seems that if authorization is not set, ASDM always gives privilege level 15 to any user
  So OK for CLI, but NOK pour ASDM
  2nd config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication  http console grp-tacacs LOCAL
  aaa authentication enable console grp-tacacs LOCAL
  aaa authorization exec authentication-server
  ! no authorization command set
  Results:
       On CLI:     lose enable access
  I can't gain privilege level 15 access anymore. When I use the enable command, I move to privilege level 7 only. So in this case ASA use the TACACS Default Privilege Level value.
       On ASDM:     policy security failure
  When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window BUT the user has full rights and can change settings.
  So NOK for CLI and ASDM
  Question:    Why do I have more access rights with ASDM as on CLI with the same settings ?
  3rd config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication  http console grp-tacacs LOCAL
  aaa authentication enable console grp-tacacs LOCAL
  aaa authorization exec authentication-server
  aaa authorization command LOCAL
  ! specific authorization command set for ASDM applied
  Results:
       On CLI:     lose enable access (same as config 2)
       On ASDM:     unenable to gain privilege level 15 --> acceptable
  When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window AND the user really has level 7 access rights.
  So NOK for CLI and Acceptable for ASDM
  Question:     Is there no possibility to move to enable mode on ASDM ?
  4th config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication  http console grp-tacacs LOCAL
  aaa authorization exec authentication-server
  aaa authorization command LOCAL
  ! no aaa authentication for 'enable access', using local enable_15 account
  ! specific authorization command set for ASDM applied
  Results:
       On CLI:     acceptable
  My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and the local enable password
       On ASDM:     unenable to gain privilege level 15 --> acceptable (same as config 3)
  So Acceptable for CLI and ASDM
  Questions review:
  1 - Is it possible to force ASDM to ask for the enable password when the user click on Apply ?
  2 - Why do I have different access rights using ASDM as on CLI with the same settings ?
  3 -  Is there no possibility to move to enable mode on ASDM when the user is on privilege level 7 whereas he has Maximum Privilege Level = 15 ?
  4 - How may I understand these parameters on TACACS: Default Privilege Level and Maximum Privilege Level ?
  Thanks for your help.

  Thanks for your answer jedubois.
  In fact, my security policy is like this:
  A) Authentication has to be nominative with password enforcement policy
       --> I'm using CS ACS v5.1 appliance with local user database on it
  B) Every "network" user can be granted priviledge level 15
       --> max user priviledged level is set to 15 in my authentication mechanism on ACS
  C) A "network" user can log onto the network equipments (RTR, SW and FW) but having monitor access only first.
  D) A "network" user can be granted priviledged level 15 after a second authentication which generates a log message
       --> SNMP trap sent to supervision server
  E) The user password and enable password have to be personal.
  So, I need only 2 priviledged level:
  - monitor (any level from 1 to 14. I set 7)
  - admin (level 15)
  For RTR, SW and FW (on CLI), it works as wanted: the "network" users connect to the equipment in monitor mode. They type "enable" and they use their private enable password to be granted priviledged level 15.
  ASDM interface is requested by the customer.
  For ASDM, as I were not able to satisfy the security policy, I apply this:
  1- I activated Exec Shell Access authorization to get the default user priviledge level value from ACS
       --> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 but I am able to change the parameter.
  2- I activated LOCAL Command authorization (adding "ASDM defined User Roles")
       --> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 and I can't push any modification.
       --> The issue is that I can't push any modification on CLI either ... :-( because my user is stuck on "default priviledge level" 7 and can't get access to "max priviledge level 15" as defined on ACS when LOCAL authorization is set
       (ok I go on my ACS and move the default priviledge level to 15 to restore an admin access to the ASA and apply 3- before resetting it to default priviledge level to 7)
  3- I remove "aaa authorization enable console TACACS" to use local enable password
       --> now I can't get admin access on ASDM: OK
       --> and I can get admin access on CLI entering the local enable password
  At the end, I satisfy my policy security tokens A to D but not E. That's a good compromise but do you see a solution to satisfy E either ?
  Thanks

• Privilege level 15 to ASA cli administrator via Radius

  Hello Friends!
  Is this supported yet on the ASA?  I want to be able to have radius assign privilege levels to firewall cli administrators.
  Upon login, I'd like them to be immediately be placed into "enabled mode" (without needing to know the local enable password).  I believe we can set the maximum privilege level the user can attain.  But for now, I simply want to have everyone go into priv level 15 without having to know the shared enable secret password.  Switching to tacacs isn't an option.
  I remember finding out a while back that this was not possible.  Please tell me this is now possible.  It's almost 2013.

  Thanks Marcin!
  Very interesting.  Now that you mention it, I do remember seeing someone use the login command after they had already logged in.  That's what they must have been doing.  I wonder what the thought process was in developing it this way.
  I suppose a few different ways around this are (since not everyone will know of this odd behavior and I'm not the only one logging in) to configure radius to authenticate users and then either:
  1.  Configure a MOTD banner that says "ATTENTION:  Type the command 'login', followed by your regular credentials AGAIN to be put into enable mode."
  or
  2.  Configure a MOTD banner that says "ATTENTION:  To gain enable mode privileges, type the command 'enable', followed by the password cisco.".
  Horrible idea?  Thoughts?
  // example of the second 'login' command working:
  ssh [email protected]
  [email protected]'s password:
  Warning!
  Warning!
  Type help or '?' for a list of available commands.
  fw1> ?
    clear       Reset functions
    enable      Turn on privileged commands
    exit        Exit from the EXEC
    help        Interactive help for commands
    login       Log in as a particular user
    logout      Exit from the EXEC
    no          Negate a command or set its defaults
    ping        Send echo messages
    quit        Exit from the EXEC
    show        Show running system information
    traceroute  Trace route to destination
  fw1> login
  Username: admin
  Password: *********
  fw1#
  fw1# sh run username
  username admin password encrypted privilege 15

• Configure Read-Acces via user-defined privilege level

  Hello everybody,
  I´m looking for the best configuration to restrict a user to read-only. The restriction should be configured via CLI not TACACS+.
  Hardware: 3750 (probably not interesting for this question)
  Oldest IOS: 12.2(53)SE1
  The user should be allowed to:
  see the running-configuration
  trigger all kinds of show-commands
  ping and traceroute from the device
  The user should not be allowed to:
  upload/delete/rename files on the flash-memory
  get into level 15 (not sure if I can avoid this)
  all other commands despite those from level 1 and those specified above
  Can someone help me with this?
  Thanks in advance!
  I won´t forget to rate helpful posts

  Hi Tobias,
  You can
  configure  Multiple Privilege Levels  on a switch as explained below.
  By default, the Cisco IOS software has two modes of password security: user EXEC and
  privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode.
  By configuring multiple passwords, you can allow different sets of users to have access to
  specified commands.
  For example, if you want many users to have access to the clear line command, you can
  assign it level 2 security and distribute the level 2 password fairly widely. But if you
  want more restricted access to the configure command, you can assign it level 3 security
  and distribute that password to a more restricted group of users.
  Setting the Privilege Level for a Command
  Beginning in privileged EXEC mode, follow these steps to set the privilege level for a
  command mode:
       Command  Purpose 
        Step 1 
       configure terminal
       Enter global configuration mode.
        Step 2 
       privilege mode level level command
       Set the privilege level for a command.
  For mode, enter configure for global configuration mode, exec for EXEC mode, interface
  for interface configuration mode, or line for line configuration mode.
  For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges.
  Level 15 is the level of access permitted by the enable password.
  For command, specify the command to which you want to restrict access.
        Step 3 
       enable password level level password
       Specify the enable password for the privilege level.
    .For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges.
  For password, specify a string from 1 to 25 alphanumeric characters. The string cannot
  start with a number, is case sensitive, and allows spaces but ignores leading spaces. By
  default, no password is defined.
        Step 4 
       end
       Return to privileged EXEC mode.
        Step 5 
       show running-config
       or
        show privilege
       Verify your entries.
  The first command shows the password and access level configuration. The second command
  shows the privilege level configuration.
        Step 6 
       copy running-config startup-config
       (Optional) Save your entries in the configuration file.
  When you set a command to a privilege level, all commands whose syntax is a subset of that
  command are also set to that level. For example, if you set the show ip traffic command to
  level 15, the show commands and show ip commands are automatically set to privilege level
  15 unless you set them individually to different levels.
  To return to the default privilege for a given command, use the no privilege mode level
  level command global configuration command.
  This example shows how to set the configure command to privilege level 14 and define
  SecretPswd14 as the password users must enter to use level 14 commands:
  Switch(config)# privilege exec level 14 configure
  Switch(config)# enable password level 14 SecretPswd14
  Also you can change the default privilege level for all the users .
  Changing the Default Privilege Level for Lines Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line:    Command  Purpose 
  Step 1   configure terminal  Enter global configuration mode.
    Step 2   line vty line  Select the virtual terminal line on which to restrict access.
  Step 3   privilege level level  Change the default privilege level for the line.
               For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode
               privileges. Level 15 is the level of access permitted by the enable password. 
  Step 4  end  Return to privileged EXEC mode. 
  Step 5   show running-config  or show privilege
            Verify your entries. The first command shows the password and access level configuration.
            The second command shows the privilege level configuration.
    Step 6   copy running-config startup-config  (Optional) Save your entries in the configuration file. 
  Users can override the privilege level you set using the privilege level line configuration command
  by logging in to the line and enabling a different privilege level.
  They can lower the privilege level by using the disable command.
  If users know the password to a higher privilege level, they can use that password to enable the higher privilege level. You might specify a high level or privilege level for your console line to restrict line usage. 
  To return to the default line privilege level, use the no privilege level line configuration command. Also i am sending a document for your reference.
  http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225see/scg/swauthen.htm#wp1154063
  HTH
  Regards
  Inayath

• Enable aaa accounting commands for all privilege levels?

  Here is the command's syntax:
  aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [broadcast] group groupname
  The "command" accounting type must include the privilege level of the commands you are logging. How do I log ALL commands?
  Take the following example:
  aaa accounting commands 15 default start-stop group mygroup
  If I issue this command will that mean commands the user executes that have a privilege level lower than 15 will not be logged? Or only commands that require exactly privilege level 15 will be logged?
  How can I log all commands regardless of privilege level?

  Hi Red,
  If you customize the command privilege level using the privilege command, you can limit which commands the appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
  The default privilege level is 0. So if you don't specify any privilege level then all should be accounted for.
  You can find the command detail at. This is for ASA though.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/a1.html#wp1535253
  Regards,
  Kanwal
  Note: Please mark answers if they are helpful.

• Default Privilege Level for ASA users authenticated by Radius or TACACS when using ASDM

  Hello,
  I'm trying to figure out what the default privilege level is for users that are authenticated to the ASA via a remote authentication server when using the ASDM.
  the command "aaa authentication http console TACACS+ LOCAL" is used in the ASA config.
  The remote server is NOT setting any privilege levels for users.  There are also no aaa authorization commands present in the config.
  So what privilege level do the users receive when they login with the ASDM?  I'm being told that the users receive admin access which includes config write, reboot, and debug.  But I cannot find any documentation stating hte default level.
  Please advise.  And providing links to cisco documentation would be great too.
  Thanks,
  Brendan

  Hi Berendan,
  Hope the below exerpt from document clarifies your query. also i have provided the link to refer.
  About Authorization
  Authorization controls access per user after users authenticate. You can configure the security appliance to authorize the following items:
  •Management commands
  •Network access
  •VPN access
  Authorization controls the services and commands available to each authenticated user. Were you not to enable authorization, authentication alone would provide the same access to services for all authenticated users.
  If you need the control that authorization provides, you can configure a broad authentication rule, and then have a detailed authorization configuration. For example, you authenticate inside users who attempt to access any server on the outside network and then limit the outside servers that a particular user can access using authorization.
  The security appliance caches the first 16 authorization requests per user, so if the user accesses the same services during the current authentication session, the security appliance does not resend the request to the authorization server.
  http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/asdm60/user/guide/usrguide/aaasetup.html
  Regards
  Karthik

• Aaa radius server control privilege level

  I've got radius authentication working on my switch, but I'm trying to allow two types of users login using Windows Active Directory. NetworkUsers who can view configuration and NetworkAdmins who can do anything. I would like for NetworkAdmins to when they login go directly into privilege level 15 but cant get that part to work. Here is my setup:
  Windows 2008 R2 Domain controller with NPS installed.
  Radius client: I have the IP of the switch along with the key. I have cisco selected under the vendor name in the advance tab
  Network Policies:
  NetworkAdmins which has the networkadmin group under conditions and under settings i have nothing listed under Standard and for Vendor Specific i have :
  Cisco-AV-Pair    Cisco    shell:priv-lvl=15
  My switch config:
  aaa new-model
  aaa group server radius MTFAAA
   server name dc-01
   server name dc-02
  aaa authentication login NetworkAdmins group MTFAAA local
  aaa authorization exec NetworkAdmins group MTFAAA local
  radius server dc-01
   address ipv4 10.0.1.10 auth-port 1645 acct-port 1646
   key 7 ******
  radius server dc-02
   address ipv4 10.0.1.11 auth-port 1645 acct-port 1646
   key 7 ******
  No matter what i do it doesnt default to privilege level 15 when i login. Any thoughts

  Have you specified the authorization exec group under line vty? I think it is authorization exec command. Something like that.

• ASDM Privilege Level default 15 for Radius users

  So this may be a bit of a dumb question...
  I stumbled upon an ASA today that is configured to authenticate against a Radius server for SSH and HTTPS connections. If I log in via SSH, I can't gain a privilege level of more than 1 (tried login command, etc).
  However, if I log in with ASDM, I always have privilege level 15.
  Command authorization is not enabled.
  Is this default behavior. If so, why? Do I need to enable command authorization to override this behavior?
  FYI, the system in question is running ASA 8.3(1)
  Thanks much

  aaa-server RADGR protocol radius
  aaa-server RADGR host 10.2.2.2
  timeout 4
  key cisco123
  aaa authentication enable console RADGR LOCAL
  After logging in, use the enable command with your user password.
  http://www.cisco.com/en/US/partner/docs/security/asa/asa83/configuration/guide/access_management.html#wp1145571

• 802.1X for wired environments using Radius/ACS for Dynamic Vlan Assignment

  Currently Being Moderated
  802.1X for wired environments  using Radius/ACS for Dynamic Vlan Assignment
  Could someone please provide me with a simplest set of configuration steps to fire up Radius in ACS and 802.1X for dynamic vlan assignment. The objective is to roll out NAC L2 OOB using the 802.1X method for dymamic vlan assignments.
  If possible show:
  1. ACS/Radius Configurations.
  2. End User Switch Configurations
  Variables:
  Switch A
  MAC Address aaaa.bbbb.cccc     Vlan 10
              bbbb.cccc.dddd     Vlan 20
  Also, if someone posts the Pros and Cons of using Radius/ACS/802.1X for Dynamic Vlan Assignments.
  Other technology sets that can be used for Dynamic Vlan assignment EXCEPT from deprecated/obsolete VMPS.
  Thanks in advance. .

  Hi Guys,
      Hmmm, well if your just looking for Mac based authentication the good news is that is very easy.  Just set create your Radius server, ACS, FreeRadius, Steelbelted radius etc.  Then create user with the name of the Mac address, in other words if the mac address is 0012.0021.1122 the the name would be 001200211122 and the password would be the mac address.  Then you set the vlan and tunnel stuff, like so tunnel-Type would be vlan, Tunnel-medium would be 802 and Tunnel-Private-Group-ID is the name of the vlan(not the vlan number)
     So for the Cisco ACS 4.x you would create a user as specified above, fill in all the password boxes with MAC address, I believe the mac has to be all lower case in the name and the password.  Then check the Separate(Chap/MS-Chap/ARAP) box.  Then you pick the group the machine belongs to, the group is the part that defines what vlan it is on.
     Before you create the user, create the group with info I wrote above and in addition specify the Service-Type as Authenticate Only.
      Freeradius is a bit harder to configure the specifics and I am just now testing a freeradius server so I do not know the process for Machine authentication.
      If, however, you are trying to authenticate a user that gets a bit trickier and is not so straight forward.

• Enable mode using privilege levels

  Hi All,
  We use TACACS+ for telnet access and enable secret password for privileged access. An user would like to enter the enable mode without entering the enable secret password. Is it possible to do this using privilege levels and shell exec on the AAA server?

  I have configured a user on AAA server and under the enable options, I have selected level 15 and under shell exec, I have selected privilege level 15.
  The router has following config
  aaa authorization exec default tacacs+ if-authenticated
  aaa authorization commands 1 default tacacs+ if-authenticated
  aaa authorization commands 15 default tacacs+ if-authenticated
  Am I missing any other commands?

• Username with privilege level 15 bypass enable

  Hi experts,
  I guess I never really understand the authentication process on Cisco routers and devices lol. Anyway I want users with privilege level 15 to be put in the enable mode right away after login without having to type in "enable" command and enable password. Users with other privilege levels will still be put in the EXEC mode.
  AAA has to be enabled because I'm using it for 802.1x as well.
  The privilege level eventually will be assigned by Radius server but right now the user is created locally on the switch. Right now I have:
  aaa new-model
  username admin privilege 15 secret 5 $1$2bdl$VIp53G4/zpo4f9aHh.t5v0
  username cisco secret 5 $1$NGdD$ehTUzwappJFMxgA7tM/YW.
  line vty 0 5
  access-class 100 in
  exec-timeout 30 0
  logging synchronous
  transport input ssh
  And it's not working lol. No matter I log in with "admin" or "cisco" I'm put in EXEC mode... What do I have to do to achieve this?
  Thanks!

  Hi,
  The with default keyword authorization will get applied on all the lines i.e. CONSOLE, VTY, AUX.
  In case you want it for users who are trying to login to via ssh or telnet use the following:
  EXEC AUTHORIZATION
  Router
  router(config)#aaa authorization exec TEL GRoup radius local
  router(config)#line vty 0 15
  router(config-line)#authorization exec TEL
  ACS
  Interface configuration
  Check  user & group for cisco av-pair.
  User setup à cisco ios/pix 6.x radius attributes àcisco av-pair [ shell:priv-lvl=15]
  OR
  Group setup à ios/pix 6.x radius attributes à shell:priv-lvl=15
  In case of radius if exec authorization is enabled  and if have not specified any privilege level in the ACS server. Then user will fall under the privilege level 1 and if enable authentication is enabled  or enable password is defined  on the router then we can go to enable mode by typing en or en
  Regards,
  Anisha
  P.S.: please mark this thread as resolved if you think your query is answered.

• AAA using RADIUS

  GOod morning all,
  I am trying to configure AAA using RADIUS with ACS 4.1 SE and various Cisco Devices. I have configured the ACS to perform group mapping on personnel who I want to give access privileges. What I would like to do is give that group privilege level 15 and do away with enable passwords. However, I need local level authentication for our console options with enable privileges. Can this be done? Any help would be appreciated.
  Dwane

  For routers and IOS switches:
  aaa new-model
  aaa authentication banner *Unauthorized Access Prohibited*
  aaa authentication login default group radius
  radius-server host 10.10.10.10 (your acs device)
  radius-server key cisco123
  radius-server configure-nas
  username nmg password telnet
  aaa authentication ppp dialins group radius local
  aaa authentication login nmg local
  aaa authorization network default group radius local
  aaa accounting network default start-stop group radius
  aaa processes 16
  line 1 16
  login authentication
  For CatOS switches:
  Set radius-server 10.10.10.10
  show radius
  set radius key cisco123
  set authentication login radius enable
  set authentication enable radius enable
  show authentication
  set radius timeout 5
  set radius retransmit 3
  set radius deadtime 3
  For Pix Firewalls:
  aaa authentication ssh console radius LOCAL
  aaa authentication telnet console radius LOCAL
  aaa-server radgroup protocol RADIUS
  max-failed-attempts 2
  reactivation-mode depletion deadtime 5
  exit
  (NOTE: This will depending on the location of the pix firewall)
  aaa-server radgroup (inside) host 10.10.10.10
  key XXXXXXX
  exit
  aaa-server radgroup(inside) host 10.10.10.10
  key XXXXXX
  exit
  This is pretty much what we used for configurations on our test. It looks like most of your switches are IOS based so that will be nice for you.
  If you are using local authentication, you can create a group and assign the local addresses to that group. What I did in the radius IETF attribute, you ensure that [006] Service-Type is checked and scroll down to Administrative and click Submit & Restart.
  Hope this helps some. I had alot of help from Cisco TAC on this.
  Dwane

• Privilege level - ASDM

  Hi,
  I have defined on the RADIUS server a profile with privilege level 0 with the
  "shell:priv-lvl=0" command on the server. The problem is that when
  the user logs into the firewall it is always given privilege level 1 (if SSH)
  or 15 (if ASDM).
  The AAA configuration on the firewall is the following:
  aaa-server RADIUS protocol radius
  aaa-server RADIUS (outside) host x.x.x.x
  retry-interval 1
  key *
  authentication-port 8812
  accounting-port 8813
  aaa authentication http console RADIUS LOCAL
  aaa authentication ssh console RADIUS LOCAL
  aaa authentication enable console RADIUS LOCAL
  Can you tell me what I need to do to authenticate using RADIUS, but assigning
  the correct privilege levels?
  I have been refered to bug ID CSCsh17346, but although i've updated the image to 7.2.2.22 it still does not work.
  Thanks in advance.
  (in attachment is the output of the radius debug).

  Hi Paulo,
  What I think is, you are looking for something like this,
  Limiting User CLI and ASDM Access with Management Authorization:
  http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_80/conf_gd/sysadmin/mgaccess.htm#wp1070306
  Go through what setting with what protocol, will give you what level of access. This might help.
  And what you originally looking for is, might be related to this,
  Configuring Command Authorization
  http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_80/conf_gd/sysadmin/mgaccess.htm#wp1042034
  Go through complete heading, but to be specific interesting part is "Configuring Local Command Authorization"
  Above links worth a read.
  This might help.
  Regards,
  Prem