Automatic jump to privilege level 15 in PIX/ASA

Hi, with IOS router and switch I'm able to authorize the user to jump automatically to the correct privilege level in login phase, as configured in authorization privilege field in ACS.
With PIX/ASA the jump does not run: why ?
thank you in advance
RS

I have to disagree here.
It's not a security feature. The privilege level feature was never properly implemented in the PIX/ASA. You may call it a bug
I would have been a security feature if it would be implemented on all privilege levels besides level 15, so that users were prevented from going directly to priv. exec mode. But on the ASA/PIX, it does not work for any level (as the feature was not implemented).
Regards
Farrukh

Similar Messages

Privilege level 15 to ASA cli administrator via Radius

Hello Friends!
Is this supported yet on the ASA? I want to be able to have radius assign privilege levels to firewall cli administrators.
Upon login, I'd like them to be immediately be placed into "enabled mode" (without needing to know the local enable password). I believe we can set the maximum privilege level the user can attain. But for now, I simply want to have everyone go into priv level 15 without having to know the shared enable secret password. Switching to tacacs isn't an option.
I remember finding out a while back that this was not possible. Please tell me this is now possible. It's almost 2013.

Thanks Marcin!
Very interesting. Now that you mention it, I do remember seeing someone use the login command after they had already logged in. That's what they must have been doing. I wonder what the thought process was in developing it this way.
I suppose a few different ways around this are (since not everyone will know of this odd behavior and I'm not the only one logging in) to configure radius to authenticate users and then either:
1. Configure a MOTD banner that says "ATTENTION: Type the command 'login', followed by your regular credentials AGAIN to be put into enable mode."
or
2. Configure a MOTD banner that says "ATTENTION: To gain enable mode privileges, type the command 'enable', followed by the password cisco.".
Horrible idea? Thoughts?
// example of the second 'login' command working:
ssh [email protected]
[email protected]'s password:
Warning!
Warning!
Type help or '?' for a list of available commands.
fw1> ?
clear       Reset functions
enable      Turn on privileged commands
exit        Exit from the EXEC
help        Interactive help for commands
login       Log in as a particular user
logout      Exit from the EXEC
no          Negate a command or set its defaults
ping        Send echo messages
quit        Exit from the EXEC
show        Show running system information
traceroute Trace route to destination
fw1> login
Username: admin
Password: *********
fw1#
fw1# sh run username
username admin password encrypted privilege 15

Configure Read-Acces via user-defined privilege level

Hello everybody,
I´m looking for the best configuration to restrict a user to read-only. The restriction should be configured via CLI not TACACS+.
Hardware: 3750 (probably not interesting for this question)
Oldest IOS: 12.2(53)SE1
The user should be allowed to:
see the running-configuration
trigger all kinds of show-commands
ping and traceroute from the device
The user should not be allowed to:
upload/delete/rename files on the flash-memory
get into level 15 (not sure if I can avoid this)
all other commands despite those from level 1 and those specified above
Can someone help me with this?
Thanks in advance!
I won´t forget to rate helpful posts

Hi Tobias,
You can
configure Multiple Privilege Levels on a switch as explained below.
By default, the Cisco IOS software has two modes of password security: user EXEC and
privileged EXEC. You can configure up to 16 hierarchical levels of commands for each mode.
By configuring multiple passwords, you can allow different sets of users to have access to
specified commands.
For example, if you want many users to have access to the clear line command, you can
assign it level 2 security and distribute the level 2 password fairly widely. But if you
want more restricted access to the configure command, you can assign it level 3 security
and distribute that password to a more restricted group of users.
Setting the Privilege Level for a Command
Beginning in privileged EXEC mode, follow these steps to set the privilege level for a
command mode:
     Command Purpose
      Step 1
     configure terminal
     Enter global configuration mode.
      Step 2
     privilege mode level level command
     Set the privilege level for a command.
For mode, enter configure for global configuration mode, exec for EXEC mode, interface
for interface configuration mode, or line for line configuration mode.
For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges.
Level 15 is the level of access permitted by the enable password.
For command, specify the command to which you want to restrict access.
      Step 3
     enable password level level password
     Specify the enable password for the privilege level.
.For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode privileges.
For password, specify a string from 1 to 25 alphanumeric characters. The string cannot
start with a number, is case sensitive, and allows spaces but ignores leading spaces. By
default, no password is defined.
      Step 4
     end
     Return to privileged EXEC mode.
      Step 5
     show running-config
     or
      show privilege
     Verify your entries.
The first command shows the password and access level configuration. The second command
shows the privilege level configuration.
      Step 6
     copy running-config startup-config
     (Optional) Save your entries in the configuration file.
When you set a command to a privilege level, all commands whose syntax is a subset of that
command are also set to that level. For example, if you set the show ip traffic command to
level 15, the show commands and show ip commands are automatically set to privilege level
15 unless you set them individually to different levels.
To return to the default privilege for a given command, use the no privilege mode level
level command global configuration command.
This example shows how to set the configure command to privilege level 14 and define
SecretPswd14 as the password users must enter to use level 14 commands:
Switch(config)# privilege exec level 14 configure
Switch(config)# enable password level 14 SecretPswd14
Also you can change the default privilege level for all the users .
Changing the Default Privilege Level for Lines Beginning in privileged EXEC mode, follow these steps to change the default privilege level for a line:    Command Purpose
Step 1   configure terminal Enter global configuration mode.
Step 2   line vty line Select the virtual terminal line on which to restrict access.
Step 3   privilege level level Change the default privilege level for the line.
             For level, the range is from 0 to 15. Level 1 is for normal user EXEC mode
             privileges. Level 15 is the level of access permitted by the enable password.
Step 4 end Return to privileged EXEC mode.
Step 5   show running-config or show privilege
          Verify your entries. The first command shows the password and access level configuration.
          The second command shows the privilege level configuration.
Step 6   copy running-config startup-config (Optional) Save your entries in the configuration file.
Users can override the privilege level you set using the privilege level line configuration command
by logging in to the line and enabling a different privilege level.
They can lower the privilege level by using the disable command.
If users know the password to a higher privilege level, they can use that password to enable the higher privilege level. You might specify a high level or privilege level for your console line to restrict line usage.
To return to the default line privilege level, use the no privilege level line configuration command. Also i am sending a document for your reference.
http://www.cisco.com/univercd/cc/td/doc/product/lan/cat3750/12225see/scg/swauthen.htm#wp1154063
HTH
Regards
Inayath

Setting privilege level for logging into ASA through ACS

Hi!,
In my environment i implemented AAA for logging into switches, routers, asa etc through ACS which is being configured TACACS+.
I have set different privilege levels like readonly, readwrite etc into ACS. There are working fine when i try to login into switch or router.
But in ASA i am unable to restrict the privilege levels of different users.
Can someone plz guide me with ASA & ACS setting to solve this issue!!!!!

Hi!!
I tried this option. It is working fine with routers & switches. But for ASA privilege access it is not functioning.
I created 3 profiles in "Shared Profiles" & added 1 of them in Group setting & added users to this group with mentioning group authentication. This way i am able to control access to the switches & routers with proper privilege. But the same way when i tried to impolement ASA it's not happening.
Can u plz check it out...

Default Privilege Level for ASA users authenticated by Radius or TACACS when using ASDM

Hello,
I'm trying to figure out what the default privilege level is for users that are authenticated to the ASA via a remote authentication server when using the ASDM.
the command "aaa authentication http console TACACS+ LOCAL" is used in the ASA config.
The remote server is NOT setting any privilege levels for users. There are also no aaa authorization commands present in the config.
So what privilege level do the users receive when they login with the ASDM? I'm being told that the users receive admin access which includes config write, reboot, and debug. But I cannot find any documentation stating hte default level.
Please advise. And providing links to cisco documentation would be great too.
Thanks,
Brendan

Hi Berendan,
Hope the below exerpt from document clarifies your query. also i have provided the link to refer.
About Authorization
Authorization controls access per user after users authenticate. You can configure the security appliance to authorize the following items:
•Management commands
•Network access
•VPN access
Authorization controls the services and commands available to each authenticated user. Were you not to enable authorization, authentication alone would provide the same access to services for all authenticated users.
If you need the control that authorization provides, you can configure a broad authentication rule, and then have a detailed authorization configuration. For example, you authenticate inside users who attempt to access any server on the outside network and then limit the outside servers that a particular user can access using authorization.
The security appliance caches the first 16 authorization requests per user, so if the user accesses the same services during the current authentication session, the security appliance does not resend the request to the authorization server.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/asdm60/user/guide/usrguide/aaasetup.html
Regards
Karthik

Create a privilege level that only allows access to show commands

Hi,
I would like to create a privilege level that would only give access to the show commands for certain users. What would be the best way to do this?
Would I have to use the privilege mode level level command for every available show command or is there a more efficient way of doing this?
In addition, could we manage such a privilege level from a Radius Server.
Thanks for your help
Stéphane

Well, I think the best way to achive this is to use TACACS with command authorization feature.
Configuration on the tacacs server ( only for show commands, read only access)
http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario2
These commands are required on an IOS router or switch in order to implement command authorization through an ACS server:
    aaa new-model
    aaa authorization config-commands
    aaa authorization commands 0 default group tacacs+ local
    aaa authorization commands 1 default group tacacs+ local
    aaa authorization commands 15 default group tacacs+ local
     tacacs-server host 10.1.1.1
     tacacs-server key cisco123
These commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:
    aaa-server authserver protocol tacacs+
    aaa-server authserver host 10.1.1.1
    aaa authorization command authserver
However, if you strictly want to use radius server then please try the below listed attribute for a single user or group.
Service-Type = NAS Prompt
http://www.ietf.org/assignments/radius-types/radius-types.xml#radius-types-4
This might not work for ASDM.
HTH
Regards,
Jatin
Do rate helpful posts-

Enabling Privilege Levels when ACS is Down

Hi,
I have a requirement to fall back to local accounts when ACS is down. These accounts will have specific privilege levels. I have two local users - adminro and adminrw.
adminro is read only and will have a privilege level of 7.
adminrw is a full access account with a priv level of 15.
I can login with adminro when ACS is down, but when I attempt to enable using "enable 7" I receive the following ouput:
PPD-ELPUF5/pri/act> en 7
Enabling to privilege levels is not allowed when configured for
AAA authentication. Use 'enable' only.
If I login using "enable", my read only account now has full configuration access which is not desireable.
My AAA configuration is as follows:
aaa authentication ssh console ADMIN LOCAL
aaa authentication enable console ADMIN LOCAL
aaa authentication http console ADMIN LOCAL
aaa authentication telnet console ADMIN LOCAL
aaa authentication serial console ADMIN LOCAL
aaa authorization command ADMIN LOCAL
aaa accounting ssh console ADMIN
aaa accounting command privilege 15 ADMIN
aaa accounting enable console ADMIN
aaa accounting serial console ADMIN
aaa accounting telnet console ADMIN
aaa authorization exec authentication-server
username adminro password <REMOVED> encrypted privilege 7
username adminrw password <REMOVED> encrypted privilege 15
enable password <REMOVED> level 7 encrypted
enable password <REMOVED> encrypted
Is there anyway to enable the user or automatically elevate the user to privilege 7 post login like you can with a router? I cannot have the adminro account to be able to run configuration commands on the device. Running ASA version 8.2(3).
Thanks!

PPD-ELPUF5/pri/act# sh curpriv
Username : adminro
Current privilege level : 7
Current Mode/s : P_PRIV
Server Group:    ADMIN
Server Protocol: tacacs+
Server Address: 1.150.1.80
Server port:     49
Server status:   FAILED, Server disabled at 15:02:37 EDT Wed Oct 12 2011
Number of pending requests              0
Average round trip time                 2ms
Number of authentication requests       38
Number of authorization requests        373
Number of accounting requests           149
Number of retransmissions               0
Number of accepts                       307
Number of rejects                       19
Number of challenges                    0
Number of malformed responses           0
Number of bad authenticators            0
Number of timeouts                      234
Number of unrecognized responses        0
PPD-ELPUF5/pri/act(config)# name 1.1.1.1 TEST description TEST CHANGE
PPD-ELPUF5/pri/act(config)# sh run name
name 1.1.1.1 TEST description TEST CHANGE
As you can see above, my user was able to perform a change even though it should not be allowed.
PPD-ELPUF5/pri/act(config)# sh run privilege
privilege cmd level 7 mode exec command show
privilege cmd level 7 mode exec command ping
privilege cmd level 7 mode exec command traceroute

AAA problems PIX/ASA

Hello
I have a problem with authentication on my network. Here I have support level 2 and level 3.
Level 2 support, has restricted access to some switches and routers, the firewalls they could only give "Show ", the problem is that this is not happening.
I configured on the ACS command shell Authorization for the commands on switches and routers, for these users of level 2. and PIX / ASA shell commands, I set only the command Enable and Show.
My problem is that even when the support level 2 tries to access PIX and ASA on my network, they use the authorization of routers and switches, they do not use the parameters that I set up the PIX and ASA for Shell.
the only firewalls on my line is this Authorization below
Authorization TACACS + aaa command LOCAL
I have to configure anything else?
I can not create command line only for Firewalls.
I'm missing something? something missing?
my firewall and IOS versions:
Pix: 6.3
ASA 6x, 7x, 8x
thanks for help
Digite um texto ou endereço de um site ou traduza um documento.
Cancelar
Ouvir
Ler foneticamente
Tradução do português para inglês

My problem is that my ACS v4.2, is not able to be distinguished from other shell comamds PIX / ASA. The same shell commands used in the switches, is being applied in firewalls.
There is a way to create separate privileges between switches and firewalls?
output of routers and firewalls. Switches and routera are the same
switches
aaa authentication login ACS-AUTH group ACS-TACACS local
aaa authorization config-commands
aaa authorization exec ACS-AUTH group ACS-TACACS local
aaa authorization commands 15 default group ACS-TACACS local
aaa accounting exec default start-stop group ACS-TACACS
aaa accounting commands 15 default start-stop group ACS-TACACS
firewalls
aaa-server TACACS+ protocol tacacs+
aaa-server TACACS+ (transit) host x.x.x.x
aaa-server RADIUS protocol radius
aaa authentication ssh console TACACS+ LOCAL
aaa authentication http console TACACS+ LOCAL
aaa authentication enable console TACACS+ LOCAL
aaa authentication telnet console TACACS+ LOCAL
aaa accounting enable console TACACS+
aaa accounting ssh console TACACS+
aaa accounting command privilege 15 TACACS+

Using ACS with PIX/ASA

Hi there,
We have an implementation of Cisco Secure ACS 4.1.4 using RSA SecurID as its authentication source to provide role-based access control and command level authorisation.
We have succesfully deployed this our routers/switches, and are now looking at configuring Cisco PIX/ASA devices to use ACS and have stubbled across issues.
Config on PIX/ASA (note we actually have 4 ACS servers defined for resilience etc):
aaa-server XXXXX protocol tacacs+
accounting-mode simultaneous
reactivation-mode depletion deadtime 1
max-failed-attempts 1
aaa-server XXXXX inside host <SERVER>
key <SECRET>
timeout 5
aaa authentication telnet console XXXXX LOCAL
aaa authentication enable console XXXXX LOCAL
aaa authentication ssh console XXXXX LOCAL
aaa authentication http console XXXXX LOCAL
aaa authentication serial console XXXXX LOCAL
aaa accounting command XXXXX
aaa accounting telnet console XXXXX
aaa accounting ssh console XXXXX
aaa accounting enable console XXXXX
aaa accounting serial console XXXXX
aaa authorization command XXXXX LOCAL
Problems:
Enter PASSCODE is NOT displayed on first attempt to logon to the PIX/ASA because it does not attempt to communicate with ACS until username/pass is sent.
Username with null password (e.g. CR) will correctly then display Enter PASSCODE prompt received from ACS.
PIX/ASA does not attempt to authenticate against all configured TACACS+ servers in one go, instead it tries each sequentially per authentication attemptâ¦.e.g.
1st Attempt = Server 1
2nd Attempt = Server 2
3rd Attempt = Server 3
4th Attempt = Server 4
This means that in total failure of ACS users will have to attempt authentication N+1 times before failing to LOCAL credentials depending on number of servers configured, this seems to be from setting "depletion deadtime 1" however the alternative is worse:
With âdepletion timedâ configured, by the time the user has attempted authentication to servers 2,3 and 4 the hard coded 30 second timeout has likely elapsed and the first server has been re-enabled by the PIX for authentication attempts, as such it will never fail to local authentication locking the user out of the device, the PIX itself does warn of this with the following error:
âWARNING: Fallback authentication is configured, but reactivation mode is set to
timed. Multiple aaa servers may prevent the appliance from ever invoking the fallback auth
mechanism.â
The next issue is that of accounting.....AAA Accounting does not record âSHOWâ commands or session accounting records (start/stop) or âENABLE".
The final issue is ASDM. We can login to ASDM successfully using ACS/RSA SecurID, however when a change is made to the configuration ASDM repeatedly sends the users logon credentials multiple times.
As RSA SecurID token can only be used once this fails and locks the account.
Any ideas on how to make two of Ciscos leading security products work together better?

Just re-reading the PIX/ASA 7.2 command reference guide below:
http://www.cisco.com/en/US/docs/security/asa/asa72/command/reference/crt_72.pdf
It appears some of the above are known issues.
PASSCODE issue, page 2-17 states:
We recommend that you use the same username and password in the local database as the
AAA server because the security appliance prompt does not give any indication which method is being used.
Failure to LOCAL, page 2-42 states:
You can have up to 15 server groups in single mode or 4 server groups per context in multiple mode. Each group can have up to 16 servers in single mode or 4 servers in multiple mode. When a user logs in, the servers are accessed one at a time starting with the first server you specify in the configuration, until a server responds.
AAA Accounting, page 2-2 states:
To send accounting messages to the TACACS+ accounting server when you enter any command other than show commands at the CLI, use the aaa accounting command command in global configuration mode.
ASDM issue, page 2-17 states:
HTTP management authentication does not support the SDI protocol for AAA server group
So looks like all my issues are known "features" of PIX/ASA integration with ACS, any ideas of how to achieve a "slicker" integration?
Is there a roadmap to improve this with later versions of the OS?
Will the PIX/ASA code ever properly support the same features as IOS?
Would it be better to look at using something like CSM instead of ASDM?

ACS with RSA for privilege level 'enable' authentication

Has anyone experienced problems with privilege level "Enable" password authentication via ACS using RSA two factor authentication? We have recently deployed ACS and use RSA two factor authentication for the telnet connection without any problems. When configuring the networking device and ACS to use RSA for the privelledge level authentication "enable" this fails. We get prompted to enter the token code and the RSA server indicates that authentication is succesful however the network device (ASA or switch) seems to reject it.
Are there any tricks to this?
Thanks in advance!

David
Like Collin the first thing that I think of is that you can not use the same token code to authenticate enable mode that was used to authenticate user mode. Beyond that I am not aware of things that should prevent this working. Are you sure that the ACS authentication server is configured to allow that user access to privilege mode?
Perhaps it would be helpful if you would post the config (especially all the aaa related parts) of a device that is having that problem. And it might help find the issue if you would run debug for authentication, try to login to enable mode, and post the output.
HTH
Rick

ASDM and privilege level (using TACACS)

Hi experts,
Initial question:     How can I force ASDM to ask for the enable password when the user click on Apply ?
Environment description:
I have an ASA 5510 connected to an ACS 5.0.
Security policy:
I want the user defined on my ACS to be able to gain privilege level 15 but only after using their enable password. But by default the user must be in no privileged mode (<15).
A SNMP alert is sent when the ASA catches a "User priv level changed" syslog message. (logging customization)
ACS configuration:
Maybe I misunderstand the TACACS privilege level parameters on ACS.
I set a Shell Profile which gives the user the following privilege levels:
Default Privilege Level = 7
Maximum Privilege Level = 15
1st config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
! no authorization set
Results:
     On CLI:     perfect
My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and his enable password
     On ASDM:     policy security failure
When the user connects through ASDM, he gains privilege level 15 directly
It seems that if authorization is not set, ASDM always gives privilege level 15 to any user
So OK for CLI, but NOK pour ASDM
2nd config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
aaa authorization exec authentication-server
! no authorization command set
Results:
     On CLI:     lose enable access
I can't gain privilege level 15 access anymore. When I use the enable command, I move to privilege level 7 only. So in this case ASA use the TACACS Default Privilege Level value.
     On ASDM:     policy security failure
When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window BUT the user has full rights and can change settings.
So NOK for CLI and ASDM
Question:    Why do I have more access rights with ASDM as on CLI with the same settings ?
3rd config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authentication enable console grp-tacacs LOCAL
aaa authorization exec authentication-server
aaa authorization command LOCAL
! specific authorization command set for ASDM applied
Results:
     On CLI:     lose enable access (same as config 2)
     On ASDM:     unenable to gain privilege level 15 --> acceptable
When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window AND the user really has level 7 access rights.
So NOK for CLI and Acceptable for ASDM
Question:     Is there no possibility to move to enable mode on ASDM ?
4th config tested on ASA:
aaa authentication ssh console grp-tacacs LOCAL
aaa authentication http console grp-tacacs LOCAL
aaa authorization exec authentication-server
aaa authorization command LOCAL
! no aaa authentication for 'enable access', using local enable_15 account
! specific authorization command set for ASDM applied
Results:
     On CLI:     acceptable
My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and the local enable password
     On ASDM:     unenable to gain privilege level 15 --> acceptable (same as config 3)
So Acceptable for CLI and ASDM
Questions review:
1 - Is it possible to force ASDM to ask for the enable password when the user click on Apply ?
2 - Why do I have different access rights using ASDM as on CLI with the same settings ?
3 - Is there no possibility to move to enable mode on ASDM when the user is on privilege level 7 whereas he has Maximum Privilege Level = 15 ?
4 - How may I understand these parameters on TACACS: Default Privilege Level and Maximum Privilege Level ?
Thanks for your help.

Thanks for your answer jedubois.
In fact, my security policy is like this:
A) Authentication has to be nominative with password enforcement policy
     --> I'm using CS ACS v5.1 appliance with local user database on it
B) Every "network" user can be granted priviledge level 15
     --> max user priviledged level is set to 15 in my authentication mechanism on ACS
C) A "network" user can log onto the network equipments (RTR, SW and FW) but having monitor access only first.
D) A "network" user can be granted priviledged level 15 after a second authentication which generates a log message
     --> SNMP trap sent to supervision server
E) The user password and enable password have to be personal.
So, I need only 2 priviledged level:
- monitor (any level from 1 to 14. I set 7)
- admin (level 15)
For RTR, SW and FW (on CLI), it works as wanted: the "network" users connect to the equipment in monitor mode. They type "enable" and they use their private enable password to be granted priviledged level 15.
ASDM interface is requested by the customer.
For ASDM, as I were not able to satisfy the security policy, I apply this:
1- I activated Exec Shell Access authorization to get the default user priviledge level value from ACS
     --> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 but I am able to change the parameter.
2- I activated LOCAL Command authorization (adding "ASDM defined User Roles")
     --> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 and I can't push any modification.
     --> The issue is that I can't push any modification on CLI either ... :-( because my user is stuck on "default priviledge level" 7 and can't get access to "max priviledge level 15" as defined on ACS when LOCAL authorization is set
     (ok I go on my ACS and move the default priviledge level to 15 to restore an admin access to the ASA and apply 3- before resetting it to default priviledge level to 7)
3- I remove "aaa authorization enable console TACACS" to use local enable password
     --> now I can't get admin access on ASDM: OK
     --> and I can get admin access on CLI entering the local enable password
At the end, I satisfy my policy security tokens A to D but not E. That's a good compromise but do you see a solution to satisfy E either ?
Thanks

Username with privilege level 15 bypass enable

Hi experts,
I guess I never really understand the authentication process on Cisco routers and devices lol. Anyway I want users with privilege level 15 to be put in the enable mode right away after login without having to type in "enable" command and enable password. Users with other privilege levels will still be put in the EXEC mode.
AAA has to be enabled because I'm using it for 802.1x as well.
The privilege level eventually will be assigned by Radius server but right now the user is created locally on the switch. Right now I have:
aaa new-model
username admin privilege 15 secret 5 $1$2bdl$VIp53G4/zpo4f9aHh.t5v0
username cisco secret 5 $1$NGdD$ehTUzwappJFMxgA7tM/YW.
line vty 0 5
access-class 100 in
exec-timeout 30 0
logging synchronous
transport input ssh
And it's not working lol. No matter I log in with "admin" or "cisco" I'm put in EXEC mode... What do I have to do to achieve this?
Thanks!

Hi,
The with default keyword authorization will get applied on all the lines i.e. CONSOLE, VTY, AUX.
In case you want it for users who are trying to login to via ssh or telnet use the following:
EXEC AUTHORIZATION
Router
router(config)#aaa authorization exec TEL GRoup radius local
router(config)#line vty 0 15
router(config-line)#authorization exec TEL
ACS
Interface configuration
Check user & group for cisco av-pair.
User setup à cisco ios/pix 6.x radius attributes àcisco av-pair [ shell:priv-lvl=15]
OR
Group setup à ios/pix 6.x radius attributes à shell:priv-lvl=15
In case of radius if exec authorization is enabled and if have not specified any privilege level in the ACS server. Then user will fall under the privilege level 1 and if enable authentication is enabled or enable password is defined on the router then we can go to enable mode by typing en or en
Regards,
Anisha
P.S.: please mark this thread as resolved if you think your query is answered.

Enable aaa accounting commands for all privilege levels?

Here is the command's syntax:
aaa accounting {auth-proxy | system | network | exec | connection | commands level} {default | list-name} {start-stop | stop-only | none} [broadcast] group groupname
The "command" accounting type must include the privilege level of the commands you are logging. How do I log ALL commands?
Take the following example:
aaa accounting commands 15 default start-stop group mygroup
If I issue this command will that mean commands the user executes that have a privilege level lower than 15 will not be logged? Or only commands that require exactly privilege level 15 will be logged?
How can I log all commands regardless of privilege level?

Hi Red,
If you customize the command privilege level using the privilege command, you can limit which commands the appliance accounts for by specifying a minimum privilege level. The security appliance does not account for commands that are below the minimum privilege level.
The default privilege level is 0. So if you don't specify any privilege level then all should be accounted for.
You can find the command detail at. This is for ASA though.
http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/command/reference/cmd_ref/a1.html#wp1535253
Regards,
Kanwal
Note: Please mark answers if they are helpful.

"authorization exec" on PIX/ASA

I'm seeing posts that hit all around my questions, and based on my intereptation of the documentation it appears that there is no "shell exec" authorization available to the PIX when configured to use a TACACS+ server for authentication. Is this true? The problem I have is that whenever I create a new username in SecureACS that user (w/default settings) is immediately able to login and get a shell prompt on our PIX and ASA devices. I see no means (other than a NAR) that will restrict the user from getting a shell. Am I missing something?
I know I can do command authorization, but exec authorization seems to be a glaringly missing feature.
For example, how do I allow a user to be authenticated for a WebVPN session (via TACACS), but not be allowed to login via SSH for administration?

Hi,
Yes, you are correct, currently there is no shell exec on pix/asa, that we have on all routers and switches. In case you are using TACACS+ for WebVPN, and dont want to allow them to login via SSH for administration, probably you can try the same login that is used in Access Points,
Actually what happens in, if you have ever came across mac authentication on AP's. On local database of AP, user accounts are created using the mac address as username/password. But interesting thing is, they have *autocommand* in the end i.e.
username xxxx password xxxx
username xxxx autocommand exit
So what actually happens here is, though user is authenticated, but if that user tried to use their MAC address to log into AP [If they think they are cleaver enough], then they will login in and will be kicked out automatically.
Havnt tried this yet, probably we can use same logic with PIX/ASA. Making use of "auto command" under "TACACS+ Settings" for a group/user.
Probably, I'll do a small re-create of it and will let you know, you try at your end.
Regards,
Prem

ASDM Privilege Level default 15 for Radius users

So this may be a bit of a dumb question...
I stumbled upon an ASA today that is configured to authenticate against a Radius server for SSH and HTTPS connections. If I log in via SSH, I can't gain a privilege level of more than 1 (tried login command, etc).
However, if I log in with ASDM, I always have privilege level 15.
Command authorization is not enabled.
Is this default behavior. If so, why? Do I need to enable command authorization to override this behavior?
FYI, the system in question is running ASA 8.3(1)
Thanks much

aaa-server RADGR protocol radius
aaa-server RADGR host 10.2.2.2
timeout 4
key cisco123
aaa authentication enable console RADGR LOCAL
After logging in, use the enable command with your user password.
http://www.cisco.com/en/US/partner/docs/security/asa/asa83/configuration/guide/access_management.html#wp1145571

Automatic jump to privilege level 15 in PIX/ASA

Similar Messages

Maybe you are looking for