Menu Close

ASA Privilege Level 15

On Cisco IOS devices, we can set the privilege level 15 on the VTY lines to allow the users to go into privilege level 15 as soon as they connect to the device. The commands we used on the IOS devices are not applicable on the ASA code. However, on the ASA we can use a different command which gives us similar result. This command is part of the aaa configuration on the ASA.

Let’s create three usernames on the ASA, one with privilege 1, another with privilege 2 and the last one with privilege 15. Once we created the users we will try to SSH into the ASA and verify each ones privilege level.

ASA-001/pri/act# conf t
ASA-001/pri/act(config)# username test1 password testword privilege 1
ASA-001/pri/act(config)# username test2 password testword privilege 2
ASA-001/pri/act(config)# username test15 password testword privilege 15

Now we will SSH into the ASA with each user and we will verify their privilege levels:

ASA-001/pri/act> sh curpriv
Username : test1
Current privilege level : 1
Current Mode/s : P_UNPR
ASA-001/pri/act>

ASA-001/pri/act> sh curpriv
Username : test2
Current privilege level : 1
Current Mode/s : P_UNPR
ASA-001/pri/act>

ASA-001/pri/act> sh curpriv
Username : test15
Current privilege level : 1
Current Mode/s : P_UNPR
ASA-001/pri/act>

As we can see, all of them they are assigned with privilege 1, that includes the username test15 which was configured with privilege 15. This behavior is expected on the ASA since it is placing any user into privilege level 1 by default. The privileged users can go into the privilege mode by using the enable command.

Now let’s see how we can change this behavior and make the ASA place the users into privilege 15 as soon as they SSH to it. To do so, we will use the following command:

aaa authorization exec LOCAL auto-enable

What this commands actually does is authorizing the users that have any privilege level higher than level 2 to be placed into the privileged exec mode after they have successfully authenticated.

Now let’s configure that command and test again:

ASA-001/pri/act(config)# aaa authorization exec LOCAL auto-enable

ASA-001/pri/act> sh curpriv
Username : test1
Current privilege level : 1
Current Mode/s : P_UNPR
ASA-001/pri/act>

ASA-001/pri/act# sh curpriv
Username : test2
Current privilege level : 2
Current Mode/s : P_PRIV
ASA-001/pri/act#
ASA-001/pri/act# conf t
ASA-001/pri/act(config)#

ASA-001/pri/act# sh curpriv
Username : test15
Current privilege level : 15
Current Mode/s : P_PRIV
ASA-001/pri/act#

As we can see, both users test2 and test15 have been placed directly into the privilege exec mode. However, user test1 which was created with privilege level 1 has been placed into user exec mode and assigned privilege level 1.

Thanks for reading!

Posted in ASA, Blog, Security, Tips & Tricks

Related Posts

>
Scroll To Top
Share via
Copy link
Powered by Social Snap