Nexus, command authorization using TACACS.

Similar Messages

• Specific shell command authorization - ACS/TACACS+ on 2900XL

  Hello all -
  I've been struggling with one particular issue here. I'm running ACS 3.2, and trying to set up secure access to my switches. I have "grad students" from my university that I want to allow to perform specific functions, i.e. change a port's vlan, and write to memory, etc.
  I successfully set up the authorization piece, and my test account can log in. I successfully assign a privilege level of 7 also, which gives me basic look rights by default. Accounting is also working, showing the connections and commands I enter.
  What I want to do is use ACS to enable a specific group of commands, so I can change them if needed in one place (ACS) and not have to touch 400+ devices. ACS says it can do it, but it doesn't seem to work. I created a Shell Command Group and specififed the commands, no luck. Even if I modify the "Unmatched commands" toggle to "permit" (which should allow any commands, right?) it still doesn't allow any commands. I added the Shell Command group to the group the students are members of...
  My AAA commands are as follows:
  aaa new-model
  aaa authentication login default local group tacacs+
  aaa authorization exec default local group tacacs+
  aaa authorization commands 7 default group tacacs+
  aaa accounting exec default start-stop group tacacs+
  aaa accounting commands 7 default start-stop group tacacs+
  aaa accounting commands 15 default start-stop group tacacs+
  aaa accounting system default start-stop group tacacs+
  Any ideas? Any thoughts?
  Thanks!
  Michael
  QU.edu

  Hey Steve -
  I tried your recommendation, and it works, kinda. When I turn on that command, after authentication, I get dropped in at Privlege 15 and have full access to commands.
  Unfortunately, this is different than the telnet access in a key way; when I telnet in, I get Priv-15, but I'm restricted on commands I can do based upon ACS authorization of specific commands. When I console in, I have full access to all commands, with no restrictions.
  Additionally, my console access has two level security, with a login password (to Priv-1) and an enable password (to Priv-15). When I use the "Privilege level 15" command, it bypasses the enable password for the local accounts and allows full access with just the login password.
  Maybe I'm asking for too much. (And I appreciate your patience with me!) What I want on the console port is this:
  1. A username prompt
  - this is fine
  2. A password prompt
  - this is fine also
  3. User name & PW are authenticated against ACS
  - this works
  4. If user is a valid ACS user, they should receive Priv-15 rights and be restricted by the commands they are authenticated to use in ACS
  - this does not work. They only receive Priv-15 if I use "privilege level 15", but they are not restricted at all to certain commands. (They _are_ restricted under telnet however.)
  5. If a user is not a valid ACS but a local account exists, the user gets dumped to a Priv-1 prompt, and must enter the enable to get to Priv-15. (This also is how it works under telnet.)
  Sorry if this really confusing, it's difficult to explain in a forum. I'm basically looking for the same behavior from a console connection as from a telnet connection; I'm not sure why it's so difficult to do...
  Michael

• Pix command authorization problem

  help required
  i am trying to configure pix firewall command authorization using cisco
  secure acs 4.2 and a pix 515 running 7.0(5) but have run into a problem
  i cant get it to work!
  i have included the pix firewall configuration below and have included
  screen shots of the acs configuration as attachments
  as you can see i can authenticate ok but that is as far as i can go
  as soon as i try and use the enable command authorization fails
  i cant even enter a password
  i have created two shell command authorization sets
  one called admins which is configured to allow all commands
  and one called restricted which restrics me to only a few commands
  if i apply the admins authorization set to the group where the user
  resides i can authenticate and authorize and i have access to all
  commands but if i apply the restrictd authorization set i get the
  problem depicted below
  i would appreciate it if someone could take a look and give me
  some pointers as to where i am going wrong
  regards
  melvyn brown
  interface ethernet0
  nameif outside
  ip address 110.1.1.1 255.255.255.0
  speed 100
  duplex full
  no shut
  interface ethernet1
  nameif inside
  ip address 192.168.8.2 255.255.255.0
  speed 100
  duplex full
  no shut
  route inside 192.168.7.0 255.255.255.0 192.168.8.1
  route inside 192.168.3.0 255.255.255.0 192.168.8.1
  aaa-server ACS1 protocol tacacs+
  aaa-server ACS1 host 192.168.7.2
  key cisco123
  domain-name acme.com
  crypto key generate rsa modulus 1024
  telnet 192.168.3.2 255.255.255.255 inside
  ssh 192.168.3.2 255.255.255.255 inside
  aaa authentication enable console ACS1
  aaa authentication serial console ACS1
  aaa authentication ssh console ACS1
  aaa authentication telnet console ACS1
  aaa authorization command ACS1
  Username: fred
  Password: **********
  Type help or '?' for a list of available commands.
  pixfirewall> en
  Command authorization failed
  pixfirewall> ?
    clear   Reset functions
    enable  Turn on privileged commands
    exit    Exit from the EXEC
    help    Interactive help for commands
    login   Log in as a particular user
    logout  Exit from the EXEC
    ping    Send echo messages
    quit    Exit from the EXEC
    show    Show running system information

  Fixed it. It was one of those ID10T type errors. The user I was testing against was in in group1 on the ACS. Trouble is I was adding command authorizations to group0. Duh!

• Cisco 4.2 radius command authorization

  Hi,
  I am trying to do command authorization in radius. I have searched but i couldnt get any luck.
  Is it possible to do this? if any yes can anyone tell me the steps. i would be great.
  Thanks,

  IOS does support command authorization, however, only with TACACS (updated by paul)
  very Nice configuration example on command authorization with tacacs
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#backinfo
  Rgds, Jatin
  Do rate helpful posts~

• Command authorization error when using aaa cache

  Hi,
  I'm trying to use the aaa cache mode for command authorization. But when I execute a command there is always an error message:
  % tty2 Unknown authorization method 6 set for list command
  The command is then always authorized against the tacacs server.
  The 'authentication login', 'authentication enable' and 'authorization exec' are using the cache properly.
  I have tried it with an Accesspoint AIR-AP1242AG-E-K9, IOS 12.3(8)JEA and a Catalyst WS-C3550-24PWR-SMI, IOS 12.2(35)SE with the same results.
  Deleting the cache entry and using only the tacacs group the error message disappears.
  Any suggestions?
  Thanks.
  Frank
  ======
  config
  ======
  aaa new-model
  aaa group server tacacs+ group_tacacs
  server 10.10.10.10
  server 10.10.10.11
  cache expiry 12
  cache authorization profile admin_user
  cache authentication profile admin_user
  aaa authentication login default cache group_tacacs group group_tacacs local
  aaa authentication enable default cache group_tacacs group group_tacacs enable
  aaa authorization console
  aaa authorization config-commands
  aaa authorization exec default cache group_tacacs group group_tacacs local
  aaa authorization commands 15 default cache group_tacacs group group_tacacs local
  aaa accounting exec default start-stop group group_tacacs
  aaa cache profile admin_user
  profile admin no-auth
  aaa session-id common
  tacacs-server host 10.10.10.10 single-connection
  tacacs-server host 10.10.10.11 single-connection
  tacacs-server directed-request
  tacacs-server key 7 <removed>
  ============
  debug output
  ============
  ap#
  Feb 7 20:02:37: AAA/BIND(00000004): Bind i/f
  Feb 7 20:02:37: AAA/AUTHEN/CACHE(00000004): GET_USER for username NULL
  Feb 7 20:02:39: AAA/AUTHEN/CACHE(00000004): GET_PASSWORD for username admin
  Feb 7 20:02:42: AAA/AUTHEN/CACHE(00000004): PASS for username ^->o
  Feb 7 20:02:42: AAA/AUTHOR (0x4): Pick method list 'default'
  Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV cmd=
  Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): processing AV priv-lvl=15
  Feb 7 20:02:42: AAA/AUTHOR/EXEC(00000004): Authorization successful
  ap#
  Feb 7 20:02:54: AAA: parse name=tty2 idb type=-1 tty=-1
  Feb 7 20:02:54: AAA: name=tty2 flags=0x11 type=5 shelf=0 slot=0 adapter=0 port=2 channel=0
  Feb 7 20:02:54: AAA/MEMORY: create_user (0xBA9C34) user='admin' ruser='ap' ds0=0 port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE priv=15 initial_task_id='0', vrf= (id=0)
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Port='tty2' list='' service=CMD
  Feb 7 20:02:54: AAA/AUTHOR/CMD: tty2(787222339) user='admin'
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV service=shell
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd=show
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=running-config
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): send AV cmd-arg=<cr>
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): found list "default"
  Feb 7 20:02:54: % tty2 Unknown authorization method 6 set for list command
  Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = ERROR
  Feb 7 20:02:54: tty2 AAA/AUTHOR/CMD(787222339): Method=group_tacacs (tacacs+)
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): user=admin
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV service=shell
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd=show
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=running-config
  Feb 7 20:02:54: AAA/AUTHOR/TAC+: (787222339): send AV cmd-arg=<cr>
  Feb 7 20:02:54: AAA/AUTHOR (787222339): Post authorization status = PASS_ADD
  Feb 7 20:02:54: AAA/MEMORY: free_user (0xBA9C34) user='admin' ruser='ap' port='tty2' rem_addr='10.10.1.1' authen_type=ASCII service=NONE
  priv=15 vrf= (id=0)

  Hi,
  I really do not think that command authorization results will be cached. The cache keeps the user credentials and attributes passed during exec authorization but for command authorization it would have to check with the tacacs server always.
  Regards,
  Vivek

• FWSM: AAA authentication using TACACS and local authorization

  Hi All,
  In our setup, we are are having FWSMs running version 3.2.22 and users are authenticating using TACACS (running cisco ACS). We would like to give restricted access ( some show commands ) to couple of users to all devices. We do not want to use TACACS for command authorization.
  We have created users on TACACS and  not allowed "enable" access to them. I have also given those show commands locally on the firewall with privilege level 1. and enabled aaa authorization LOCAL
  Now , those users can successfully login to devices and execute those show commands from priv level 1 except "sh access-list".  I have specifically mentioned this
  "privilege show level 1 mode exec command access-list"  in the config.
  Is there anything i am missing or is there any other way of doing it?
  Thanks.

  You cannot do what you are trying to do. For (default login you need to use the first policy matched.
  you can diversify telnet/ssh with http by  creating different aaa groups.
  But still you will be loging in for telnet users (all of them) using one method.
  I hope it is clear.
  PK

• Shell Command Authorization Sets for device using NDGs??

  Hello. I NDGs configured, there is a group called "GR1" with 30 switch.
  This group is set up a Shell Command Authorization set called "Monitoring", in which only show commands, ping and traceroute are allowed.
  I want to let users switch in only 10 of the group "GR 1" to configure certain interfaces and IP addresses, switch to the other not. ! Note: The number of interface is not the same for each switch, one can be FA0 / 1, but for others it may fa0/3.etc.
  I want to retain these 10 switch within the group "GR1", it is possible to make this configuration?
  - Thanks

  I've edited my earlier post to make it more clear. You can assign Shell Auth. Sets at the user,group or NDG level.More details are mentioned on the following link:
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/SPC.html#wpmkr697610
  AFAIR, one device (AAA Client) can be part of only one NDG, so you cannot achieve your requirement by using per-NDG Shell Command Authorization sets. Unless you break up the NDG into more than one NDG.
  You can assign the authorization set at the user or group level (after putting the appropriate users in the group) to achive your requirement.
  You could also use the 'privilege' command on the switch to make sure that users can see only the commands you want. E.g. when a user logs in he will be placed at level 7. Now you can keep the undesired commands at level 15 and bring down the desired commands at level 7. All other users would be assigned a lower level (e.g level 5), so they wont be able to run these commands.
  Regards
  Farrukh

• Restrict aaa access using command authorization windows acs3.6

  i need to enable aaa users to shut and unshut interfaces but nothing else. i already have all the users and groups setup but when i modify the command auth set to include "configure" "permit term" they are given unrestricted access.
  any help appreciated

  On the router there's a:
  aaa authorization config-commands
  command, make sure you have that in. You then have to set up command authorization on the TACACS server to allow "interface permit any", "shutdown" and "no shutdown" commands.

• Command Authorization Config best practice using ACS

  Hi
  Is there any best practices for configuring Command authorization (for router/switch/asa) in CS-ACS? To be specific, is there any best practices to configure authorization for a set of commands allowed for L1,L2,L3 support levels?
  Regards
  V Vinodh.

  Vinodh,
  The main thing here is to ensure that we have backup/fall-back method configured for command authorization, inorder to avoid lockout situation or do wr mem once you are sure configs are working fine.
  Please check this link,
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  Regards,
  ~JG
  Do rate helpful posts

• Cisco Secure ACS 4.2 - Group Setup w/Shell Command Authorization Sets

  Hello All,
  I am trying to create a user so that I can provide him only to run commands that I have designated them to run within my "Shell Command Authorization Set". This seems to work great, however I cannot find anywhere I can "hide" commands they do not have access to. For instance, once the user is logged into the switch they can do a show ? and get a list of commands. I would like to know if there is an option to only display commands the user has access to in ACS.
  My Steps:
  Created a user in ACS
  Shared Profile Components
  Create Shell command Autorization Set - "ReadOnly"
  Unmatched Commands - Deny
  Unchecked - Permit Unmatched Arg
  Commands Added
  permit interface
  permit vlan
  permit snmp contact
  permit power inline
  permit version
  permit switch
  permit controllers utilization
  permit env all
  permit snmp location
  permit ip http server status
  permit logging
  Created a group - "GroupTest" with the following
  Confirgured - Network Access Restrictions (NAR)
  Max Sessions - Unlimited
  Enable Options - No Enable Privilege
  TACACS+ Settings
  Shell (exec)
  Priviledge level is check with 1 as the assigned level
  Shell Command Authorization Set
  "ReadOnly" - Assign a Shell Command Authorization Set for any network device
  I have configured following on my Router/Switch
  aaa authorization config-commands
  aaa authorization commands 1 default group tacacs+ if-authenticated
  privilege exec level 1 show log
  I have attached below the documention I have gone over.
  http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
  http://www.cisco.com/en/US/docs/net_mgmt/cisco_secure_access_control_server_for_windows/4.2/user/guide/GrpMgt.html#wp478624

  "you are testing with privilege level 15 or below 15. Because when you are using below 15 level user, first it will check local command authorization set. For example if you want to execute sh runn command with level 5 user, first it will check local command set. If the sh runn command exits in local command set then it will send request to ACS. If it is not in the command set, it won't send request to ACS. That's why you don't see debug. For 15 level users it will directly send request to ACS. Configure command set locally and try it should work.
  Correct me if I am wrong."
  Regards
  Vamsi

• ASDM and privilege level (using TACACS)

  Hi experts,
  Initial question:     How can I force ASDM to ask for the enable password when the user click on Apply ?
  Environment description:
  I have an ASA 5510 connected to an ACS 5.0.
  Security policy:
  I want the user defined on my ACS to be able to gain privilege level 15 but only after using their enable password. But by default the user must be in no privileged mode (<15).
  A SNMP alert is sent when the ASA catches a "User priv level changed" syslog message. (logging customization)
  ACS configuration:
  Maybe I misunderstand the TACACS privilege level parameters on ACS.
  I set a Shell Profile which gives the user the following privilege levels:
  Default Privilege Level = 7
  Maximum Privilege Level = 15
  1st config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication http console grp-tacacs LOCAL
  aaa authentication enable console grp-tacacs LOCAL
  ! no authorization set
  Results:
       On CLI:     perfect
  My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and his enable password
       On ASDM:     policy security failure
  When the user connects through ASDM, he gains privilege level 15 directly
  It seems that if authorization is not set, ASDM always gives privilege level 15 to any user
  So OK for CLI, but NOK pour ASDM
  2nd config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication  http console grp-tacacs LOCAL
  aaa authentication enable console grp-tacacs LOCAL
  aaa authorization exec authentication-server
  ! no authorization command set
  Results:
       On CLI:     lose enable access
  I can't gain privilege level 15 access anymore. When I use the enable command, I move to privilege level 7 only. So in this case ASA use the TACACS Default Privilege Level value.
       On ASDM:     policy security failure
  When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window BUT the user has full rights and can change settings.
  So NOK for CLI and ASDM
  Question:    Why do I have more access rights with ASDM as on CLI with the same settings ?
  3rd config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication  http console grp-tacacs LOCAL
  aaa authentication enable console grp-tacacs LOCAL
  aaa authorization exec authentication-server
  aaa authorization command LOCAL
  ! specific authorization command set for ASDM applied
  Results:
       On CLI:     lose enable access (same as config 2)
       On ASDM:     unenable to gain privilege level 15 --> acceptable
  When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window AND the user really has level 7 access rights.
  So NOK for CLI and Acceptable for ASDM
  Question:     Is there no possibility to move to enable mode on ASDM ?
  4th config tested on ASA:
  aaa authentication ssh console grp-tacacs LOCAL
  aaa authentication  http console grp-tacacs LOCAL
  aaa authorization exec authentication-server
  aaa authorization command LOCAL
  ! no aaa authentication for 'enable access', using local enable_15 account
  ! specific authorization command set for ASDM applied
  Results:
       On CLI:     acceptable
  My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and the local enable password
       On ASDM:     unenable to gain privilege level 15 --> acceptable (same as config 3)
  So Acceptable for CLI and ASDM
  Questions review:
  1 - Is it possible to force ASDM to ask for the enable password when the user click on Apply ?
  2 - Why do I have different access rights using ASDM as on CLI with the same settings ?
  3 -  Is there no possibility to move to enable mode on ASDM when the user is on privilege level 7 whereas he has Maximum Privilege Level = 15 ?
  4 - How may I understand these parameters on TACACS: Default Privilege Level and Maximum Privilege Level ?
  Thanks for your help.

  Thanks for your answer jedubois.
  In fact, my security policy is like this:
  A) Authentication has to be nominative with password enforcement policy
       --> I'm using CS ACS v5.1 appliance with local user database on it
  B) Every "network" user can be granted priviledge level 15
       --> max user priviledged level is set to 15 in my authentication mechanism on ACS
  C) A "network" user can log onto the network equipments (RTR, SW and FW) but having monitor access only first.
  D) A "network" user can be granted priviledged level 15 after a second authentication which generates a log message
       --> SNMP trap sent to supervision server
  E) The user password and enable password have to be personal.
  So, I need only 2 priviledged level:
  - monitor (any level from 1 to 14. I set 7)
  - admin (level 15)
  For RTR, SW and FW (on CLI), it works as wanted: the "network" users connect to the equipment in monitor mode. They type "enable" and they use their private enable password to be granted priviledged level 15.
  ASDM interface is requested by the customer.
  For ASDM, as I were not able to satisfy the security policy, I apply this:
  1- I activated Exec Shell Access authorization to get the default user priviledge level value from ACS
       --> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 but I am able to change the parameter.
  2- I activated LOCAL Command authorization (adding "ASDM defined User Roles")
       --> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 and I can't push any modification.
       --> The issue is that I can't push any modification on CLI either ... :-( because my user is stuck on "default priviledge level" 7 and can't get access to "max priviledge level 15" as defined on ACS when LOCAL authorization is set
       (ok I go on my ACS and move the default priviledge level to 15 to restore an admin access to the ASA and apply 3- before resetting it to default priviledge level to 7)
  3- I remove "aaa authorization enable console TACACS" to use local enable password
       --> now I can't get admin access on ASDM: OK
       --> and I can get admin access on CLI entering the local enable password
  At the end, I satisfy my policy security tokens A to D but not E. That's a good compromise but do you see a solution to satisfy E either ?
  Thanks

• Command authorization issue.

  Hello.
  I'm using commands authorization with Cisco Secure ACS 4.1. This morning I'm going to set the MOTD and entries fail because my banner starts with a blank.
  The shell command set that I'm using is a "permit unmatched commands".
  Any idea?
  Thanks.
  Andrea

  What you're experiencing is a known defect:
  CSCtg38468    cat4k/IOS: banner exec failed with blank characters
  Symptom:
  %PARSE_RC-4-PRC_NON_COMPLIANCE:
  The above parser error can be seen together with traceback, when configuring a banner containing a blank character at the begining of line.
  Conditions:
  Problem happens, when AAA authorization is used together with TACACS+
  Workaround:
  Make sure there is no blank character at the begining of line in the banner message.
  Problem Details: trying to configure banner exec with blank character at beginning of line failed.
  This happens when configuring the banner exec via telnet/ssh !
  When configuring the same banner exec via console-port, everything is fine.
  Note the blank characters at beginning of each line. When removing those, banner exec works fine.
  Again, this was working till IOS version 12.2(46)SG.
  Beginning with 12.2(50)SG1 and up, the behaviour has changed.
  ~BR
  Jatin Katyal
  **Do rate helpful posts**

• Cisco ACS command authorization sets

  I need help on the following please.
  1. - I am using ACS as TACACS server to control IOS authorization on all our Switches, However I can not deny telnet sessions to other devices from within CatOS - does anyone know the command authorization set to deny this within ACS ????
  2. Does anyone know where I can read up on command authorizations sets for ACS ??
  3. What is the debug command for CatOS to see cli output ?
  Many thanks
  Rod

  Thanks for your info. I have solved my problem -
  1. I enabled tacacs administration logging using command on switch aaa authorization commands 15 default group tacacs+
  This let me see what what happening everytime I entered a command on CatOS - via the logging monitor on ACS. From here i was able to see that when i was trying to telnet to a device from CatOS it was doing it on Privilage mode 1. I then entered this command aaa authorization commands 1 default group tacacs+ which solved my telnet problem.
  Problem resolved.
  Many thanks.

• Slow response of Authorization using ACS4.2

  We had encountered a slow respone of command authorization with Cisco 3750 using TACACS+ protocol communicate with Cisco ACS 4.2. When we copy and paste more than 20 command lines, it is required more than 15s to complete and sometimes with "authorization failed". It seems that single connection can help, but the TACACS connection is keep connected in between ACS and switch. Not sure any performance impact to the Cisco ACS 4.2 and the maximum session to handle.
  Any advice???
  laut

  Anyone can share the experience of Authorization with Cisco 3750 & ACS4.2?
  Thanks.
  laut

• Asa cmd authorization using acs

  Hi all, i was trying to authorize the asa with acs 3.2 on priv lvl 7 using tacacs+,but the users were geting priv-lvl 15 only..
  aaa-server aaa_serv protocol tacacs+
  aaa-server aaa_serv host 10.0.0.10
  key cisco123
  aaa authentication serial console tac_serv
  aaa authentication telnet console tac_serv
  aaa authentication enable console tac_serv
  aaa authorization command tac_serv
  i had brought some commands also in priv 7 using privilege commandm but the problem is that when i try to login i am geting priv-lvl 15 only not 7.i had set in acs also in tacacs+ seting to assign priv lvl=7 only to the users .. but dnt knw why it is nt wrking ..

  ASA does not have any authorization exec command so Priv Level does not work with ASA.
  Max privilege(enable attrib. in ACS)works with ASA.
  But if you implementing command authorization with ASA no need to configure max priv levels, let them all fall on priv level 15 and control access through command authorization.
  2 main commands required for command authorization are
  aaa authentication enable console tac_serv (this is because we do not have authorization exec in ASA so enable authentication is required for command auth to work)
  aaa authorization command tac_serv