ASDM Authentication

Unanswered Question
Jun 11th, 2007

I currently have an ACS Appliance performing tacacs authentication for my network devices. I have a few user groups in there to assign access to certain devices and at certain priviledge levels. One of the groups allows the user to authenticate to any network device, but only with a max priviledge level of 1.

When these users log into my ASA's, they are unable to go into enable mode, which is good. But when they log into the ASA via ASDM, they can perform changes and write them to flash.

The ASDM reports they are logged in at priviledge level 15.

Has anyone else noticed a similar issue? If so, where you able to mitigate it?

Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
d-rathman Thu, 06/21/2007 - 12:30

As long as the ASA is set to authorize all commands, create a command authorization set in ACS. In the command authorization set, permit ?show? and ?write? (and permit unmatched arguments) and deny all other unmatched commands. You then need to apply the command authorization set to the user, or if the user access devices besides the ASA, you may may to limit the devices the command authorization set is applied to for the user. To limit it, create a network device group for the ASAs and then assign the shell command authorization set on a per network device group basis for the user. With this setup, even if a user has priv 15, the command set will limit the commands they can use at prvi 15.

Fernando_Meza Thu, 06/21/2007 - 17:26

Hi .. can you check you have also AAA configured for accessing the ASA by https.

aaa authentication http console group-tag

Actions

This Discussion