AAA: ASDM read-only access

Unanswered Question
Aug 5th, 2009
User Badges:


I have ACS 4.2 Appliance which is integrated with Cisco ASA. I need to configure the users in ACS with read-only access to ASDM. Can anybody help me to know which commands are required in ASA and what parametrs are needs to configured in ACS?

Thanks in advance.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 2.9 (8 ratings)
Collin Clark Wed, 08/05/2009 - 06:57
User Badges:
  • Purple, 4500 points or more

I don't believe it can be done. ASDM is for configuration and can not be configured strictly for monitoring.

Jagdeep Gambhir Wed, 08/05/2009 - 07:18
User Badges:
  • Red, 2250 points or more


If you do not have command authorization in place on your ASA, then you can simply pass

down an exec authorization privilege of 1 to that user when they log into ASDM. This will

allow them to look through all of ASDM like any other user. But if they were to try to

write something to the configuration, then that would fail.

If you do have command authorization in place, or if you would like to have command

authorization, then there is actually a set of commands that are required in order to give read only access for ASDM which you would have to move to a lower privilege. Luckily, there is a feature in ASDM which will allow you to move a series of commands to Read Only privilege 5 ASDM access, as well as a series of commands to Monitor only privilege 3 ASDM access.

Currently, logging in with a user of privilege 15, navigate to Configuration > Device Administration > AAA Access > Authorization. There is a button "Predefined User Account Privilege". If you select this and apply this, it will set a series of commands to a lower privilege based on what ASDM needs to authorize that user for either Read Only or Monitor Only access.

Then you would need to create a new user account with privilege 5 access so that ASDM is read only, or create a new user with privilege 3 for monitor-only access.



Do rate helpful posts

sunil.aroraa Wed, 08/05/2009 - 07:38
User Badges:

Thanks JG for your prompt reply.

Right now I dont have authorization commnads on ASA but authentication is happening from ACS.

So in your 1st option:

How to pass privilege level 1 to read-only user which is authenticating from ACS?

And in 2nd option:

I have configured read-only users with privilege 15 due to if I keep the privilege less than 15 then user is unable to login in privilge mode (for command show run etc. in routers)

In this option if user get the privilege level 5 or 3 from ACS then it is very much easy.

Thank You,


Jatin Katyal Tue, 06/08/2010 - 15:17
User Badges:
  • Cisco Employee,


This can be done with or without ACS. I think with ACS it would be more reliable and centralized.

I recreated this in our lab few months ago with ACS server

Following are minimum commands that need to be permitted for a read only account for ASA 8.0(4) and ASDM 6.1.x

ACS configuration:

Go to shared profile component > shell command authorization > Edit/add the authorization set and make sure we have these command and respective argument available there.

Command               Argument

copy                  Permit all unmatched arguments
dir                     Permit disk0:/dap.xml
enable              Permit
Perfmon           Permit interval 10
show                 Permit all unmatched arguments
write                 Permit net
exit                   Permit all

These commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:

    aaa-server authserver protocol tacacs+
    aaa-server authserver host x.x.x.x
    aaa authorization command authserver

With above seetings, you can use privilege 15 on the ACS. It will only allow user to run show commands. user won't be able to make any changes.

In case it doesn't work, please run the

debug tacacs

debug authorization



Do rate helpful posts-

jimmyc_2 Tue, 06/08/2010 - 11:50
User Badges:

Hi Jagdeep,

This doesn't seem to work in ASDM 6.2(1), at least as far as setting up a level 3 or 5.  They both seem to have enable privileges.

I'm looking to avoid using AAA, we've been burned in the past.



jimmyc_2 Wed, 06/09/2010 - 08:17
User Badges:

Hi Jagdeep,

I found a very important step that I was missing, to wit:

Step 7 In the Access Restriction area, set the management access level for a  user. You must first enable management authorization using the Perform authorization for exec shell access option on the  Configuration > Device Management > Users/AAA > AAA Access >  Authorization tab.

the link was

It was kinda implied that level 5 was read-only, but you must configure it, as per above.

jimmyc_2 Wed, 06/09/2010 - 08:30
User Badges:

Hi colin,

It took a bit, but you can do it without AAA.  see my recent posts.   regards,   jimmyc

Jatin Katyal Wed, 06/09/2010 - 08:33
User Badges:
  • Cisco Employee,

Yes, you can do but for that you have to define almost all commands on the ASA with their privilege level. Suits those who doesn't have ACS.

Keep posting.



This Discussion