Re: Does ASA support EXEC Authorization, which logs the user

With exec authorization it is a limit to a service type, not placing
you into a certain exec level like ios. At least that is my experience.

On Mar 30, 2010, at 8:55 AM, "Edouard Zorrilla" <ezorrilla_at_tsf.com.pe>
wrote:

> Thanks a lot Sir,
>
> So, what does it mean this command :
>
> "aaa authorization exec authentication-server"
>
> Here inside the documentation :
> http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_aaa.html
>
> I see that it says :
>
> "To enforce user-specific access levels for users who authenticate
> for management access (see the aaa authentication console LOCAL
> command), enter the following command:
> hostname(config)# aaa authorization exec authentication-server
> This command enables management authorization for local users and
> for any users authenticated by RADIUS, LDAP, and TACACS+. See the
> "Limiting User CLI and ASDM Access with Management Authorization"
> section on page 37-7 for information about configuring a user on a
> AAA server to accommodate management authorization."
>
> and here are the details :
>
> http://www.cisco.com/en/US/docs/security/asa/asa82/configuration/guide/access_management.html#wpxref11719
>
> So it means that I should be able to perform exec authorization the
> same as I do with routers, is that ok or am I missing something else ?
>
> Regards
>
> ----- Original Message ----- From: "Paul Stewart"
> <pestewart_at_gmail.com>
> To: "Edouard Zorrilla" <ezorrilla_at_tsf.com.pe>
> Cc: <security_at_groupstudy.com>; <ccielab_at_groupstudy.com>
> Sent: Tuesday, March 30, 2010 2:45 AM
> Subject: Re: Does ASA support EXEC Authorization, which logs the
> user diretly into enable mode after authentication?
>
>
>> Exec authorization is supported, but enable still requires
>> authorization. Without exec authorization enabled, local users can
>> ssh to the firewall even if they are just set to remote-access. By
>> enabling exec authorization, this attribute is honored. However, it
>> does not put the user into enable mode even if they are set
>> service-type admin.
>>
>> On Mon, Mar 29, 2010 at 5:48 PM, Edouard Zorrilla <ezorrilla_at_tsf.com.pe
>> > wrote:
>>> Guys,
>>>
>>> Have you see this link :
>>>
>>> http://www.aboutcisco.biz/en/US/products/hw/vpndevc/ps2030/products_qanda_ite
>>> m09186a00805b87d8.shtml#ASAececAuth
>>>
>>> Is says that no EXEC Authorization feature is not supported in ASA.
>>>
>>> If that is true, why do I have this command :
>>>
>>> Rack1ASA10-6-254(config)# aaa authorization exec authentication-
>>> server
>>> ?
>>>
>>> Rack1ASA10-6-254(config)# sh ver | i Version
>>> Cisco Adaptive Security Appliance Software Version 8.3(1)
>>> Device Manager Version 6.3(1)
>>> Rack1ASA10-6-254(config)#
>>>
>>> I undestant that with this command I should be able to perform exec
>>> authorization on ASA
>>>
>>> Thanks a lot.
>>>
>>> Regards
>>
>>
>> Blogs and organic groups at http://www.ccie.net
>>
>> _______________________________________________________________________
 

>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html

Blogs and organic groups at http://www.ccie.net
Received on Tue Mar 30 2010 - 12:31:28 ART