[c-nsp] PIX or ASA Privilege level access issue

Robert Maier desolationrob at gmail.com
Fri Nov 19 10:05:26 EST 2010


simple answer

Its NOT possible to assign priv level on PIX/ASAm you still have to type 
in "enable".

there is no such thing like exec authorization via aaa in the OS of the 
firewalls. It´s only possible in CATOS/IOS/NX-OS

Am 19.11.2010 15:29, schrieb David White, Jr. (dwhitejr):
> Hi Edward,
>
> It sounds like you are missing the following line in your configuration:
>     aaa authorization exec authentication-server
>
> Issue "show curpriv" after the user logs in to verify they are assigned
> the correct privilege level from the Radius server.
>
> Sincerely,
>
> David.
>
> Edward Iong wrote:
>> Dear All,
>>
>> We have encouter an issue as we Assign Privilege Levels in PIX or ASA with Microsoft IAS server.
>> We plan to set RO and RW access for users to have different privilege levels to access Cisco devices.
>> We have tested that Switch and Router does not have the RO(router>)non-privilege level issue. But in ASA/PIX using user account which is in the RO group which has set "shell:priv-lvl=1 or 5" can access the privilege mode (prompt is router#)
>> itestmo is a RO group
>> > From PIX or ASA.
>> "
>> Username: ittestmo
>> Password: *******
>> Type help or '?' for a list of available commands.
>> MOOFFW01>  EN
>> Password: *******
>> MOOFFW01#
>> "
>> > From Switch or router
>> "
>> User Access Verification
>> Username: ittestmo
>> Password:
>> MOOFSW01>EN
>> Password:
>> % Access denied
>> MOOFSW01>
>> "
>> Could anyone let me know how to use this issue?
>>
>> Thanks and Regards,
>>
>> Edward
>>    		 	   		
>> _______________________________________________
>> cisco-nsp mailing list  cisco-nsp at puck.nether.net
>> https://puck.nether.net/mailman/listinfo/cisco-nsp
>> archive at http://puck.nether.net/pipermail/cisco-nsp/
>>
> _______________________________________________
> cisco-nsp mailing list  cisco-nsp at puck.nether.net
> https://puck.nether.net/mailman/listinfo/cisco-nsp
> archive at http://puck.nether.net/pipermail/cisco-nsp/
>


More information about the cisco-nsp mailing list