RE: ASA Authorization exec, is it possible ?

Edouard,

If you are using TACACS+ this command requires that the shell attribute is
checked to allow the user to connect to the ASA. Without the shell
attribute the user is not allowed to connect. With RADIUS you have to have
the RADIUS Attribute 6 set to administrative for full access or NAS-Prompt
for limited access Outbound for the attribute denies shell access.

The following document outlines this configuration.

http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acces
s_management.html#wp1070306

As already discussed with this configuration access to enable mode is still
required separately. This doesn't allow the user to automatically connect
to privilege 15 like IOS based devices.

Regards,
 
Tyson Scott - CCIE #13513 R&S, Security, and SP
Technical Instructor - IPexpert, Inc.
Mailto: tscott_at_ipexpert.com
Telephone: +1.810.326.1444, ext. 208
Live Assistance, Please visit: www.ipexpert.com/chat
eFax: +1.810.454.0130

IPexpert is a premier provider of Self-Study Workbooks, Video on Demand,
Audio Tools, Online Hardware Rental and Classroom Training for the Cisco
CCIE (R&S, Voice, Security & Service Provider) certification(s) with
training locations throughout the United States, Europe, South Asia and
Australia. Be sure to visit our online communities at
www.ipexpert.com/communities and our public website at www.ipexpert.com

-----Original Message-----
From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Ryan
West
Sent: Tuesday, March 30, 2010 9:29 AM
To: Edouard Zorrilla; security_at_groupstudy.com
Cc: ccielab_at_groupstudy.com
Subject: RE: ASA Authorization exec, is it possible ?

Edouard,

> -----Original Message-----
> Sent: Tuesday, March 30, 2010 9:04 AM
> To: Ryan West; security_at_groupstudy.com
> Cc: ccielab_at_groupstudy.com
> Subject: Re: ASA Authorization exec, is it possible ?
>
> Thanks a lot Ryan,
>
> So, what is this command for :
>
> "aaa authorization exec authentication-server"
>

To be honest, I have not seen this command before, but after a little
testing, it seems to be the same as typing

aaa authentication enable console LOCAL

Assuming you are running local authentication and have set your admin users
to priv 15. I'll test this out with TACACS later as it simplifies my
configs a little. I want to see if it will follow the fall-back method as
well.

-ryan

Blogs and organic groups at http://www.ccie.net
Received on Tue Mar 30 2010 - 09:55:33 ART