On Cisco IOS devices, we can set the privilege level 15 on the VTY lines to allow the users to go into privilege level 15 as soon as they connect to the device. The commands we used on the IOS devices are not applicable on the ASA code. However, on the ASA we can use a different command which gives us similar result. This command is part of the aaa configuration on the ASA.
Let’s create three usernames on the ASA, one with privilege 1, another with privilege 2 and the last one with privilege 15. Once we created the users we will try to SSH into the ASA and verify each ones privilege level.
Now we will SSH into the ASA with each user and we will verify their privilege levels:
As we can see, all of them they are assigned with privilege 1, that includes the username test15 which was configured with privilege 15. This behavior is expected on the ASA since it is placing any user into privilege level 1 by default. The privileged users can go into the privilege mode by using the enable command.
Now let’s see how we can change this behavior and make the ASA place the users into privilege 15 as soon as they SSH to it. To do so, we will use the following command:
What this commands actually does is authorizing the users that have any privilege level higher than level 2 to be placed into the privileged exec mode after they have successfully authenticated.
Now let’s configure that command and test again:
As we can see, both users test2 and test15 have been placed directly into the privilege exec mode. However, user test1 which was created with privilege level 1 has been placed into user exec mode and assigned privilege level 1.
Thanks for reading!