Thanks Piotr. To conclude, we can ignore PIX-ASA for now and use "*Shell Command Authorization Set" *for ASA CTP.
With regards Kings On Mon, Aug 8, 2011 at 1:53 AM, Piotr Matusiak <[email protected]> wrote: > This works for PIX OS version which uses "pixshell" instead of "shell" > service type. This was sometimes before PIX 6.3 and ASA 7. I don;t recall > exact version but it does not matter now. > > Regards, > Piotr > > > 2011/8/7 Kingsley Charles <[email protected]> > >> Folks, >> >> ASA Cut though proxy is a very important topic for the exam. Has anyone >> used *"PIX/ASA Command Authorization Set*"? In most docs, I see "*Shell >> Command Authorization Set" *only used for ASA CTP. >> >> Any thoughts? >> >> With regards >> Kings >> >> >> On Fri, Aug 5, 2011 at 4:54 PM, Kingsley Charles < >> [email protected]> wrote: >> >>> Hi all >>> >>> In ACS @ Interface Configuration > TACACS+ (Cisco IOS), you have an >>> option to enable "PIX Shell (pixshell)". In ACS 4.1, this seems to be a >>> dummy and doesn't have a purpose. >>> Given below are the issues I observed >>> >>> >>> ASA Shell Access >>> ============== >>> >>> I am not able to login in the ASA using TACACS authentication when the >>> user account is enabled with "PIX Shell (pixshell)". Only, if "Shell (exec)" >>> is enabled, I am able to login into ASA. (Note - You will be able login only >>> into user exec mode. It is known issue that we can't login into privilege >>> exec directly even with priv 15 (tacacs) or administrative (radius)). >>> >>> >>> But the "Shell (exec)" is meant for IOS not ASA. >>> >>> >>> ASA Cut Through Proxy >>> ================= >>> >>> Under *"PIX/ASA Command Authorization Set*" of the user account, you >>> will be able to select the "PIX/ASA Command Authorization Set". This doesn't >>> work for ASA Cut Through Proxy authorization. >>> Even, if you use a authorization set under "*Shell Command >>> Authorization Set"* of Shell, there are inconsistencies. >>> >>> Only "Per User Command Authorization" of the "*Shell Command >>> Authorization Set"* works without any issues. >>> >>> >>> With regards >>> Kings >>> >> >> >> _______________________________________________ >> For more information regarding industry leading CCIE Lab training, please >> visit www.ipexpert.com >> >> Are you a CCNP or CCIE and looking for a job? Check out >> www.PlatinumPlacement.com >> > >
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
