RE: ASA Authorization exec, is it possible ?

Tyson,

> -----Original Message-----
> Sent: Tuesday, March 30, 2010 9:56 AM
> To: Ryan West; 'Edouard Zorrilla'; security_at_groupstudy.com
> Cc: ccielab_at_groupstudy.com
> Subject: RE: ASA Authorization exec, is it possible ?
>
> Edouard,
>
> If you are using TACACS+ this command requires that the shell attribute is
> checked to allow the user to connect to the ASA. Without the shell
> attribute the user is not allowed to connect. With RADIUS you have to have
> the RADIUS Attribute 6 set to administrative for full access or NAS-Prompt
> for limited access Outbound for the attribute denies shell access.
>
> The following document outlines this configuration.
>
> http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acces
> s_management.html#wp1070306
>
> As already discussed with this configuration access to enable mode is still
> required separately. This doesn't allow the user to automatically connect
> to privilege 15 like IOS based devices.
>

Regardless of Shell exec checked, it does not seem to matter. I'm still able to connect and issues config commands:

aaa authentication telnet console TACACS LOCAL
aaa authentication ssh console TACACS LOCAL
aaa authentication http console TACACS LOCAL
aaa authentication enable console TACACS LOCAL
aaa accounting command TACACS
aaa accounting enable console TACACS
aaa accounting ssh console TACACS
aaa authorization exec authentication-server

I'm having a bit of trouble deciphering what it does from the config guide as well:

From 8.2 config guide:

TACACS+ users-Authorization is requested with the "service=shell" and the server responds with PASS or FAIL.

-PASS, privilege level 1-Allows full access to any services specified by the aaa authentication console commands.

-PASS, privilege level 2 and higher-Allows access to the CLI when you configure the aaa authentication {telnet | ssh} console command, but denies ASDM configuration access if you configure the aaa authentication http console command. ASDM monitoring access is allowed. If you configure enable authentication with the aaa authentication enable console command, the user cannot access privileged EXEC mode using the enable command.

-FAIL-Denies management access. The user cannot use any services specified by the aaa authentication console commands (excluding the serial keyword; serial access is allowed).

With the AAA configured as above, the following debugs are produced:

Received TACACS packet. Session id:2113109178 seq no:2
tacp_procpkt_author: PASS_ADD
tacp_procpkt_author: PASS_REPL
Attributes = priv-lvl

Seems to be ignoring the shell=exec, any ideas?

Thanks,

-ryan

Blogs and organic groups at http://www.ccie.net
Received on Tue Mar 30 2010 - 14:57:48 ART