ASA Read only User

Answered Question
Jan 14th, 2009

Hello Everyone,

Can someon tell me the command for createing a user on an ASA 5500 running 7.2(3) that can only view the config but not make any changes?

Thanks in advance! All replies rated

I have this problem too.
0 votes
Correct Answer by JORGE RODRIGUEZ about 7 years 10 months ago

Ok , you must be missing this statement, try with that user after you enter this in asa and let me know.

aaa authorization command LOCAL

Additional reference for aaa authorization command

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1537175

Regards

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (2 ratings)
Loading.
JORGE RODRIGUEZ Wed, 01/14/2009 - 21:15

You can use privilege level 5, this will allow to enable mode but it will not give config t access, nor clear xlates or any clear commands, it can however issue show and its subcommands including show run , same applies when using asdm.

create user in asa local database

asa(config)#username password priviledge 5

enable AAA to use ASA local user database

asa(config)#aaa authentication telnet console LOCAL

asa> en

Password: *******

asa#config t

^

ERROR: % Invalid input detected at '^' marker.

ERROR: Command authorization failed

asa#clear xlate

ERROR: % Invalid input detected at '^' marker.

ERROR: Command authorization failed

asa#

Regards

angel-moon Mon, 01/19/2009 - 15:21

Thanks. I am not sure if access by SSH makes a difference but the user is using SSH and SSH is configured to authenticate to the local database but the user can still get to config t. I am running 7.2 if that makes a difference.

angel-moon Tue, 01/20/2009 - 12:21

Hello,

yes I do have the above listed statement and have defined the priviledge level as the first post said.

Thanks!

angel-moon Tue, 01/20/2009 - 12:51

That was it. Thanks! Just to make sure, this ASA is also authenticating users for VPN connections by pointing to the domain. This should not impact those users correct?

Thanks so much!!

JORGE RODRIGUEZ Tue, 01/20/2009 - 13:49

Angel, it should not impact any VPN related authentication , this only pertains to authorization managing the ASA applience.

Glad it is resolved and thank you for rating.

regards

goulin Mon, 09/17/2012 - 21:45

Hi,

I just stumbled onto this post.  I was wondering if there was a generic command to allow access to all show commands, instead of individually having to specify them:

e.g. at the moment I have a Level 5 user who I want to have access to all show commands, but not configuration mode, and I have to manually specify each command:

privilege show level 5 mode exec command running-config

privilege show level 5 mode exec command log

Is there an equivalent of show * that I can add?

Thanks

Actions

This Discussion