Re: Does ASA support EXEC Authorization, which logs the user from Edouard Zorrilla on 2010-03-30 (Ccielab archives 03/2010)

From: Edouard Zorrilla <ezorrilla_at_tsf.com.pe>
Date: Tue, 30 Mar 2010 05:55:28 -0700

Thanks a lot Sir,

So, what does it mean this command :

"aaa authorization exec authentication-server"

Here inside the documentation :
http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_aaa.html

I see that it says :

"To enforce user-specific access levels for users who authenticate for
management access (see the aaa authentication console LOCAL command), enter
the following command:
hostname(config)# aaa authorization exec authentication-server
This command enables management authorization for local users and for any
users authenticated by RADIUS, LDAP, and TACACS+. See the "Limiting User CLI
and ASDM Access with Management Authorization" section on page 37-7 for
information about configuring a user on a AAA server to accommodate
management authorization."

and here are the details :

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_management.html#wpxref11719

So it means that I should be able to perform exec authorization the same as
I do with routers, is that ok or am I missing something else ?

Regards

----- Original Message -----
From: "Paul Stewart" <pestewart_at_gmail.com>
To: "Edouard Zorrilla" <ezorrilla_at_tsf.com.pe>
Cc: <security_at_groupstudy.com>; <ccielab_at_groupstudy.com>
Sent: Tuesday, March 30, 2010 2:45 AM
Subject: Re: Does ASA support EXEC Authorization, which logs the user
diretly into enable mode after authentication?

> Exec authorization is supported, but enable still requires
> authorization. Without exec authorization enabled, local users can
> ssh to the firewall even if they are just set to remote-access. By
> enabling exec authorization, this attribute is honored. However, it
> does not put the user into enable mode even if they are set
> service-type admin.
>
> On Mon, Mar 29, 2010 at 5:48 PM, Edouard Zorrilla <ezorrilla_at_tsf.com.pe>
> wrote:
>> Guys,
>>
>> Have you see this link :
>>
>> http://www.aboutcisco.biz/en/US/products/hw/vpndevc/ps2030/products_qanda_ite
>> m09186a00805b87d8.shtml#ASAececAuth
>>
>> Is says that no EXEC Authorization feature is not supported in ASA.
>>
>> If that is true, why do I have this command :
>>
>> Rack1ASA10-6-254(config)# aaa authorization exec authentication-server
>> ?
>>
>> Rack1ASA10-6-254(config)# sh ver | i Version
>> Cisco Adaptive Security Appliance Software Version 8.3(1)
>> Device Manager Version 6.3(1)
>> Rack1ASA10-6-254(config)#
>>
>> I undestant that with this command I should be able to perform exec
>> authorization on ASA
>>
>> Thanks a lot.
>>
>> Regards
>
>
> Blogs and organic groups at http://www.ccie.net
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Mar 30 2010 - 05:55:28 ART

This archive was generated by hypermail 2.2.0 : Thu Apr 01 2010 - 07:26:36 ART