How to create ASA ASDM read only account?

Unanswered Question
Jul 20th, 2007

I tried creating a privilege 0 account for a client for read-only access to their ASA firewalls. For the CLI login, it won't matter cause they don't know the enable password, so that keeps them from making changes. But for the ASDM login, I was able to login with the privilege 0 account and make changes to the device (adding users).

I searched cisco.com and of course I found nothing good.

Should I create some 'privilege level 0' commands? I looked at that command and I didn't see anything to specify ASDM read only.

Any comments appreciated ,

Chris Serafin

Security Engineer

[email protected]

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Premdeep Banga Sat, 07/21/2007 - 11:42

Hi,

Yes you can bring show commands to a level say 3,

and the users with privilege level 3 should only have access to that level commands only.

But for management purpose, I would suggest not to change the level of command on device.

Rather use the command authorization feature on PIX/ASA, and make use of ACS(TACACS+),

http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgaccess.html#wp1042034

In above link you have information about both local and TACACS+ command authorization.

Regards,

Prem

Actions

This Discussion