Hi all The following command on ASA doesn't seem to have a purpose.
aaa authorization exec authentication-server I have tried with LOCAL, Tacacs and Radius server with the following AVs. LOCAL - Username with Priv 15 and service type of admin Tacacs - User account with priv 15 and enabled for shell exec Radius - User account with service type of administrative The command "aaa authorization exec authentication-server" doesn't seem, to apply the attribute and put the user directly in the privilege exec mode. I am dealing with this issue for a long time but I don't find the answer for it. Is it a bug? I see the same behavior in 8.4 also. Snippet from http://www.cisco.com/en/US/docs/security/asa/asa80/configuration/guide/mgaccess.html#wp1042028 Limiting User CLI and ASDM Access with Management Authorization If you configure CLI or *enable* authentication, you can limit a local user, RADIUS, TACACS+, or LDAP user (if you map LDAP attributes to RADIUS attributes) from accessing the CLI, ASDM, or the *enable* command. ------------------------------ *Note *Serial access is not included in management authorization, so if you configure *aaa authentication serial console*, then any user who authenticates can access the console port. ------------------------------ To configure management authorization, perform the following steps: ------------------------------ *Step 1 *To enable management authorization, enter the following command: hostname(config)# aaa authorization *exec authentication-server* This command also enables support of administrative user privilege levels from RADIUS, which can be used in conjunction with local command privilege levels for command authorization. See the "Configuring Local Command Authorization" section <#wp1072168> for more information. *Step 2 *To configure the user for management authorization, see the following requirements for each AAA server type or local user: •RADIUS or LDAP (mapped) users—Use the IETF RADIUS numeric Service-Type attribute which maps to one of the following values. (To map LDAP attributes, see the "LDAP Attribute Mapping" section on page 14-15<aaa.html#wpxref84418>.) –Service-Type 6 (Administrative)—Allows full access to any services specified by the *aaa authentication console* commands. –Service-Type 7 (NAS prompt)—Allows access to the CLI when you configure the *aaa authentication *{*telnet | ssh} console *command, but denies ASDM configuration access if you configure the* aaa authentication http console*command. ASDM monitoring access is allowed. If you configure *enable* authentication with the* aaa authentication enable console*command, the user cannot access privileged EXEC mode using the *enable* command. –Service-Type 5 (Outbound)—Denies management access. The user cannot use any services specified by the *aaa authentication console* commands (excluding the *serial* keyword; serial access is allowed). Remote access (IPSec and SSL) users can still authenticate and terminate their remote access sessions. •TACACS+ users—Authorization is requested with the "service=shell" and the server responds with PASS or FAIL. –PASS, privilege level 1—Allows full access to any services specified by the *aaa authentication console *commands. –PASS, privilege level 2 and higher—Allows access to the CLI when you configure the *aaa authentication *{*telnet | ssh} console* command, but denies ASDM configuration access if you configure the *aaa authentication http console* command. ASDM monitoring access is allowed. If you configure * enable* authentication with the *aaa authentication enable console* command, the user cannot access privileged EXEC mode using the *enable* command. –FAIL—Denies management access. The user cannot use any services specified by the *aaa authentication console *commands (excluding the *serial*keyword; serial access is allowed). •Local users—Set the *service-type* command. See the "Configuring the Local Database" section on page 14-7 <aaa.html#wpxref64390>. By default, the * service-type* is *admin*, which allows full access to any services specified by the *aaa authentication console *commands. With regards Kings
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
