06-09-2009 11:33 AM - edited 03-11-2019 08:41 AM
I need to allow access to the ASDM for the ASA firewall but wanted to restrict the access level these users would have when connected. We're authenticating through the ACS server, rather than locally on the device. This ASDM access would be mainly to view the traffic on the firewalls, but not be allowed to make any changes.
Thanks in advance.
06-10-2009 02:18 AM
You need to create a group user on ACS with read only to do this.
06-10-2009 05:29 AM
Thanks for the advice. I did go into ACS and set up a "read-only" type group under the group setup menu, however when I open ASDM with this users credentials, he still has full access. I've listed what I changed below, if you see something I did wrong?
Under Enable Options, I selected Max Priv level 0.
Under Tacacs+ Settings, I selected Shell (exec) and priv level 0, and PIX Shell (pixshell) is also selected.
Everything else was left at the default. Then I added this updated group to this users ID, and selected user group settings.
Thanks again, Tony
06-11-2009 01:51 AM
have you configued the asa with the below setting for asdm.
aaa authentication http console TACACS LOCAL
aaa authorization command TACACS LOCAL
aaa accounting command TACACS
aaa authentication secure-http-client
06-11-2009 04:24 AM
Yup, it's in all the firewalls I'm trying to allow access to.
aaa-server tacacs+ protocol tacacs+
aaa authentication enable console tacacs+ LOCAL
aaa authentication telnet console tacacs+ LOCAL
aaa authentication ssh console tacacs+ LOCAL
aaa authentication http console tacacs+ LOCAL
aaa authorization command LOCAL
08-24-2009 11:29 AM
What about NAR? I tried with Per Group Defined NAR, IP based restriction:
denied calling/point of access locations and I specified AAA client, port 443 and IP address of ASA to denie ASDM access? I use ACS 4.2
Is it possible like that? I want for one specific group to have priv lev 5 on CLI and NO access to ASDM.
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: