RE: ASA Authorization exec, is it possible ?

Nevermind, it works as advertised. It seems the least restrictive settings are passed, group shell exec was overriding an individual user. Likewise, when the user was set for shell exec, it was overriding the group setting as unchecked. Both set to unchecked and no CLI.

Thanks,

-ryan

> -----Original Message-----
> From: nobody_at_groupstudy.com [mailto:nobody_at_groupstudy.com] On Behalf Of Ryan
> West
> Sent: Tuesday, March 30, 2010 10:58 AM
> To: Tyson Scott; 'Edouard Zorrilla'; security_at_groupstudy.com
> Cc: ccielab_at_groupstudy.com
> Subject: RE: ASA Authorization exec, is it possible ?
>
> > Edouard,
> >
> > If you are using TACACS+ this command requires that the shell attribute is
> > checked to allow the user to connect to the ASA. Without the shell
> > attribute the user is not allowed to connect. With RADIUS you have to have
> > the RADIUS Attribute 6 set to administrative for full access or NAS-Prompt
> > for limited access Outbound for the attribute denies shell access.
> >
> > The following document outlines this configuration.
> >
> > http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/acces
> > s_management.html#wp1070306
> >
> > As already discussed with this configuration access to enable mode is still
> > required separately. This doesn't allow the user to automatically connect
> > to privilege 15 like IOS based devices.

Blogs and organic groups at http://www.ccie.net
Received on Tue Mar 30 2010 - 15:04:14 ART