Re: AAA Command authorization on ASA

Chewbakka1 · ‎01-25-2018

Hi,

I am trying to get AAA command authorization to work on an Asa running 9.6. without any luck..

Authentication seems to be working fine, but for some reason the Asa rejects all commands.

My config looks like this:

group = read-only {
        service = exec {
                priv-lvl = 15
        }
        cmd = show {
                permit .*
        }
}

user = bob {
                login = des $1$VF$kBvTjygux4xdkHjGUSSwd1
                service = shell { priv-lvl=5 }
                member = read-only
        }

The ASA has the following configuration:

aaa-server TEST (outside) host x.y.z.w
 key *****
aaa authorization command TEST

The traffic is reaching the server just fine (as authentication towards the same server works), but for some reason all commands are rejected.

Any ideas?

marce1000 · ‎01-26-2018

- Which error is produced , then, on a rejected command ?

M.

-- ' 'Good body every evening' ' this sentence was once spotted on a logo at the entrance of a Weight Watchers Club !

peppe-bahnhof · ‎01-26-2018

Chewbakka1 · ‎01-26-2018

I omitted the group membership for user bob.

user = bob {
                default service = deny
                name = "bob"
                login = des $1$VF$kBGTjygux4xckHjGUSSwd1
                service = exec { priv-lvl=15 }
                cmd = show { permit "run|arp|config" }
                #member = read-only
        }

The logs outputs the following:

Fri Jan 26 14:26:34 2018 [32068]: Start authorization request
Fri Jan 26 14:26:34 2018 [32068]: do_author: user='enable_15'
Fri Jan 26 14:26:34 2018 [32068]: user 'enable_15' found
Fri Jan 26 14:26:34 2018 [32068]: authorize_cmd: user=enable_15, cmd=show
Fri Jan 26 14:26:34 2018 [32068]: cmd show does not exist, denied by default
Fri Jan 26 14:26:34 2018 [32068]: authorization query for 'enable_15' 22 from x.y.z.w rejected

Chewbakka1 · ‎01-30-2018

A test with the same server configuration against an IOS switch was made, without any problems.