Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1163
Views
0
Helpful
5
Replies

ACS privilege level needed for ASDM view-only access?

ttrevino1
Level 1
Level 1

‎06-09-2009 11:33 AM - edited ‎03-11-2019 08:41 AM

I need to allow access to the ASDM for the ASA firewall but wanted to restrict the access level these users would have when connected. We're authenticating through the ACS server, rather than locally on the device. This ASDM access would be mainly to view the traffic on the firewalls, but not be allowed to make any changes.

Thanks in advance.

Labels:
0 Helpful
5 Replies 5

Pravin Phadte
Level 5
Level 5

‎06-10-2009 02:18 AM

You need to create a group user on ACS with read only to do this.

0 Helpful

ttrevino1
Level 1
Level 1
In response to Pravin Phadte

‎06-10-2009 05:29 AM

Thanks for the advice. I did go into ACS and set up a "read-only" type group under the group setup menu, however when I open ASDM with this users credentials, he still has full access. I've listed what I changed below, if you see something I did wrong?

Under Enable Options, I selected Max Priv level 0.

Under Tacacs+ Settings, I selected Shell (exec) and priv level 0, and PIX Shell (pixshell) is also selected.

Everything else was left at the default. Then I added this updated group to this users ID, and selected user group settings.

Thanks again, Tony

0 Helpful

Pravin Phadte
Level 5
Level 5
In response to ttrevino1

‎06-11-2009 01:51 AM

have you configued the asa with the below setting for asdm.

aaa authentication http console TACACS LOCAL

aaa authorization command TACACS LOCAL

aaa accounting command TACACS

aaa authentication secure-http-client

0 Helpful

ttrevino1
Level 1
Level 1
In response to Pravin Phadte

‎06-11-2009 04:24 AM

Yup, it's in all the firewalls I'm trying to allow access to.

aaa-server tacacs+ protocol tacacs+

aaa authentication enable console tacacs+ LOCAL

aaa authentication telnet console tacacs+ LOCAL

aaa authentication ssh console tacacs+ LOCAL

aaa authentication http console tacacs+ LOCAL

aaa authorization command LOCAL

0 Helpful

ivanbarkic
Level 1
Level 1
In response to Pravin Phadte

‎08-24-2009 11:29 AM

What about NAR? I tried with Per Group Defined NAR, IP based restriction:

denied calling/point of access locations and I specified AAA client, port 443 and IP address of ASA to denie ASDM access? I use ACS 4.2

Is it possible like that? I want for one specific group to have priv lev 5 on CLI and NO access to ASDM.

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card