Privilege levels and ASDM requirements for read-only access

Unanswered Question
Jun 17th, 2008
User Badges:

Hi All,

ASA running 7.2(2) and ASDM 5.2(2)

We have a need to have restricted access to an ASA for certain staff so that they would essentially only have read access to the firewall.

When they log in with the their account on the initial screen it goes through fine. However when the aplet appears with the dashboard it is just continuous prompts for authentication.

Obviously this isn't a username/password issue, and believe it is the privilege level assigned to them (and certain commands). Also when using our privilege 15 account it is all fine so this isn't a java version issue or anything like that.

What are the required commands to allow READ-only access to the ASDM? I tried searching through some documentation but haven't been able to find anything yet...


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Jagdeep Gambhir Tue, 06/17/2008 - 06:52
User Badges:
  • Red, 2250 points or more

To set up command authorization for ASDM to a TACACS server, there is a set of commands that are requried in order to give read only access for ASDM. For a user that has read-only privilege, you need to ensure that they are allowed to execute this set of commands.

In order to see what commands these are, there is a feature which actually moves a series

of commands to Read Only privilege 5 ASDM access, as well as a series of commands to

Monitor Only privilege 3 ASDM access. Currently, logging in with a user of privilegel 15, navigate to Configuration > Device Administration > AAA Access > Authorization.

There is a button "Predefined User Account Privilege". If you select this and apply this, it wil show a series of commands that would be lowered to allow Read Only or Monitor Only privilege. Read Only users would need all commands that are to be set at privilege 5 or lower in order to work effectively.



Do rate helpful posts

cameron.moody Tue, 06/17/2008 - 15:44
User Badges:

Hi JG,

Thanks however when I make the username priv 5 the same thing happens. I suspect that this is because we have changed certain commands to various privilege levels (6 for example).

Also this is just local AAA, not going to a TACACS server.

That is why it is the actual required commands that I am after, or any other suggestions as to what may be causing the problem.

We have confirmed it is not the computer itself (browser, java, etc) by logging in with a priv 15 account.

Jagdeep Gambhir Wed, 06/18/2008 - 05:37
User Badges:
  • Red, 2250 points or more

Yes, this could be due to the fact you have changed the privilege level of commands.



Do rate helpful posts


This Discussion