ACS privilege level needed for ASDM view-only access?

Unanswered Question
Jun 9th, 2009
User Badges:

I need to allow access to the ASDM for the ASA firewall but wanted to restrict the access level these users would have when connected. We're authenticating through the ACS server, rather than locally on the device. This ASDM access would be mainly to view the traffic on the firewalls, but not be allowed to make any changes.

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Pravin Phadte Wed, 06/10/2009 - 02:18
User Badges:
  • Silver, 250 points or more

You need to create a group user on ACS with read only to do this.

ttrevino1 Wed, 06/10/2009 - 05:29
User Badges:

Thanks for the advice. I did go into ACS and set up a "read-only" type group under the group setup menu, however when I open ASDM with this users credentials, he still has full access. I've listed what I changed below, if you see something I did wrong?

Under Enable Options, I selected Max Priv level 0.

Under Tacacs+ Settings, I selected Shell (exec) and priv level 0, and PIX Shell (pixshell) is also selected.

Everything else was left at the default. Then I added this updated group to this users ID, and selected user group settings.

Thanks again, Tony

Pravin Phadte Thu, 06/11/2009 - 01:51
User Badges:
  • Silver, 250 points or more

have you configued the asa with the below setting for asdm.

aaa authentication http console TACACS LOCAL

aaa authorization command TACACS LOCAL

aaa accounting command TACACS

aaa authentication secure-http-client

ttrevino1 Thu, 06/11/2009 - 04:24
User Badges:

Yup, it's in all the firewalls I'm trying to allow access to.

aaa-server tacacs+ protocol tacacs+

aaa authentication enable console tacacs+ LOCAL

aaa authentication telnet console tacacs+ LOCAL

aaa authentication ssh console tacacs+ LOCAL

aaa authentication http console tacacs+ LOCAL

aaa authorization command LOCAL

ivanbarkic Mon, 08/24/2009 - 11:29
User Badges:

What about NAR? I tried with Per Group Defined NAR, IP based restriction:

denied calling/point of access locations and I specified AAA client, port 443 and IP address of ASA to denie ASDM access? I use ACS 4.2

Is it possible like that? I want for one specific group to have priv lev 5 on CLI and NO access to ASDM.


This Discussion