Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
23761
Views
32
Helpful
9
Replies

AAA: ASDM read-only access

sunil.aroraa
Level 1
Level 1

‎08-05-2009 06:49 AM - edited ‎03-10-2019 04:37 PM

Hello,

I have ACS 4.2 Appliance which is integrated with Cisco ASA. I need to configure the users in ACS with read-only access to ASDM. Can anybody help me to know which commands are required in ASA and what parametrs are needs to configured in ACS?

Thanks in advance.

2 people had this problem
Labels:
0 Helpful
9 Replies 9

Collin Clark
VIP Alumni
VIP Alumni

‎08-05-2009 06:57 AM

I don't believe it can be done. ASDM is for configuration and can not be configured strictly for monitoring.

Jagdeep Gambhir
Level 10
Level 10
In response to Collin Clark

‎08-05-2009 07:18 AM

Sunil,

If you do not have command authorization in place on your ASA, then you can simply pass

down an exec authorization privilege of 1 to that user when they log into ASDM. This will

allow them to look through all of ASDM like any other user. But if they were to try to

write something to the configuration, then that would fail.

If you do have command authorization in place, or if you would like to have command

authorization, then there is actually a set of commands that are required in order to give read only access for ASDM which you would have to move to a lower privilege. Luckily, there is a feature in ASDM which will allow you to move a series of commands to Read Only privilege 5 ASDM access, as well as a series of commands to Monitor only privilege 3 ASDM access.

Currently, logging in with a user of privilege 15, navigate to Configuration > Device Administration > AAA Access > Authorization. There is a button "Predefined User Account Privilege". If you select this and apply this, it will set a series of commands to a lower privilege based on what ASDM needs to authorize that user for either Read Only or Monitor Only access.

Then you would need to create a new user account with privilege 5 access so that ASDM is read only, or create a new user with privilege 3 for monitor-only access.

Regards,

~JG

Do rate helpful posts

Collin Clark
VIP Alumni
VIP Alumni
In response to Jagdeep Gambhir

‎08-05-2009 07:21 AM

That's helpful info Jagdeep.

0 Helpful

sunil.aroraa
Level 1
Level 1
In response to Jagdeep Gambhir

‎08-05-2009 07:38 AM

Thanks JG for your prompt reply.

Right now I dont have authorization commnads on ASA but authentication is happening from ACS.

So in your 1st option:

How to pass privilege level 1 to read-only user which is authenticating from ACS?

And in 2nd option:

I have configured read-only users with privilege 15 due to if I keep the privilege less than 15 then user is unable to login in privilge mode (for command show run etc. in routers)

In this option if user get the privilege level 5 or 3 from ACS then it is very much easy.

Thank You,

Sunil

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to sunil.aroraa

‎06-08-2010 03:17 PM

Sunil,


This can be done with or without ACS. I think with ACS it would be more reliable and centralized.


I recreated this in our lab few months ago with ACS server


Following are minimum commands that need to be permitted for a read only account for ASA 8.0(4) and ASDM 6.1.x

ACS configuration:

Go to shared profile component > shell command authorization > Edit/add the authorization set and make sure we have these command and respective argument available there.

Command               Argument

copy                  Permit all unmatched arguments
dir                     Permit disk0:/dap.xml
enable              Permit
Perfmon           Permit interval 10
show                 Permit all unmatched arguments
write                 Permit net
exit                   Permit all

These commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:

    aaa-server authserver protocol tacacs+
    aaa-server authserver host x.x.x.x
    aaa authorization command authserver


With above seetings, you can use privilege 15 on the ACS. It will only allow user to run show commands. user won't be able to make any changes.


In case it doesn't work, please run the


debug tacacs

debug authorization


HTH

JK


Do rate helpful posts-


~Jatin

jimmyc_2
Level 1
Level 1
In response to Jagdeep Gambhir

‎06-08-2010 11:50 AM

Hi Jagdeep,

This doesn't seem to work in ASDM 6.2(1), at least as far as setting up a level 3 or 5.  They both seem to have enable privileges.

I'm looking to avoid using AAA, we've been burned in the past.

Thanks.

Jimmyc

0 Helpful

jimmyc_2
Level 1
Level 1
In response to jimmyc_2

‎06-09-2010 08:17 AM

Hi Jagdeep,

I found a very important step that I was missing, to wit:

Step 7 In the Access Restriction area, set the management access level for a  user. You must first enable management authorization using the Perform authorization for exec shell access option on the  Configuration > Device Management > Users/AAA > AAA Access >  Authorization tab.

the link was http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/mgt_acc.html#wp1581382

It was kinda implied that level 5 was read-only, but you must configure it, as per above.

0 Helpful

jimmyc_2
Level 1
Level 1
In response to Collin Clark

‎06-09-2010 08:30 AM

Hi colin,

It took a bit, but you can do it without AAA.  see my recent posts.   regards,   jimmyc

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to jimmyc_2

‎06-09-2010 08:33 AM

Yes, you can do but for that you have to define almost all commands on the ASA with their privilege level. Suits those who doesn't have ACS.


Keep posting.


JK

~Jatin
0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents