Hi All, correct me if I am wrong but I believe TACACS is the only protocol which supports command authorisation on ASA /IOS using command authorisation lists on an ACS/AAA server. RADIUS does not support such a design of querying command authorisation lists on an ACS server and one must set the relevant commands to a lower privilege locally on the device and use this in conjunction with setting a privilege level for the required users on the ACS server.
Assuming the above is true (again let me know if you think otherwise), I am trying to work out how to do command authorisation on an ASA using RADIUS when from what I have read at the link below, the ASA ignores the Cisco AV pair "shell:priv-lvl=*value*" https://supportforums.cisco.com/docs/DOC-2947 Considering the ASA does support the "privilege level" command, how would one utilise commands set with custom privilege levels when performing AAA on an ASA with RADIUS for command authorisation? This question specifically relates to point 5.24 in the Extended Blueprint which states "Complex Command Authorization and Privilege Levels, and Relevant Cisco Secure ACS Profiles". Considering this point specifically states using profiles, which I take to mean Network Access Profiles, TACACS cannot be used as it is not supported by NAPs so I am left with doing command authorisation with RADIUS via NAPs though I don't how to do this with an ASA as it does not support the shell:priv-lvl=*value*" cisco av-pair to set the privilege level when a user authenticates. Would this be a limitation of the combination of ASA/NAP/Command Authorisation? Though I haven't tried it yet, I can't see a difficulty doing the above with IOS. I could though be understanding the task incorrectly and it may be asking something else. Any thoughts? Thanks
_______________________________________________ For more information regarding industry leading CCIE Lab training, please visit www.ipexpert.com Are you a CCNP or CCIE and looking for a job? Check out www.PlatinumPlacement.com
