How to create ASA ASDM read only account?

Unanswered Question
Jul 20th, 2007
User Badges:

I tried creating a privilege 0 account for a client for read-only access to their ASA firewalls. For the CLI login, it won't matter cause they don't know the enable password, so that keeps them from making changes. But for the ASDM login, I was able to login with the privilege 0 account and make changes to the device (adding users).


I searched cisco.com and of course I found nothing good.


Should I create some 'privilege level 0' commands? I looked at that command and I didn't see anything to specify ASDM read only.


Any comments appreciated ,


Chris Serafin

Security Engineer

[email protected]


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Premdeep Banga Sat, 07/21/2007 - 11:42
User Badges:
  • Gold, 750 points or more

Hi,


Yes you can bring show commands to a level say 3,


and the users with privilege level 3 should only have access to that level commands only.


But for management purpose, I would suggest not to change the level of command on device.


Rather use the command authorization feature on PIX/ASA, and make use of ACS(TACACS+),


http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgaccess.html#wp1042034


In above link you have information about both local and TACACS+ command authorization.


Regards,

Prem

Actions

This Discussion