ASDM Read-Only access configuration in ACS 4.2

Unanswered Question
Sep 24th, 2009
User Badges:


Is that possible to configure read-only access of ASA firewall in ACS 4.2; that too particularly for ASDM?

Read-only is working fine for SSH protocol. But the customer requests for read-only access through ASDM.

Plz suggest a solution with detailed steps.

Many thanks!!


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
jagadeeshan.s Thu, 09/24/2009 - 02:03
User Badges:

Hi BR,

Our configuration is exactly similar like explained in the provided link. It works fine for SSH protocol (managing ASA firewall) but doesnt works with ASDM.

It keeps on asking the username & password.


Bela Mareczky Thu, 09/24/2009 - 03:17
User Badges:


The ASDM cannot access the ASA using the required commands, so I think, the Cisco ACS command authorization rules are misconfigured.

Please check that, the Cisco ACS permits the following commands:

show version

show curpriv

perfmon interval 10

show asdm sessions

show firewall

show mode

show running-config aaa authorization

show running-config

show running-config

show running-config route

show running-config interface

show resource rule

show blocks

show curpriv

show vlan

show running-config aaa authorization

show curpriv

show access-list brief

show access-list

Check that, the ASA AAA configuration contains "aaa authorization command [aaa server name] LOCAL" config.

You don't need to allow enable and shell exec privilege for this restricted ACS group.

Hope this helps!


Jatin Katyal Thu, 09/24/2009 - 04:32
User Badges:
  • Cisco Employee,

Hi Jags,

I did recreate the same scenario few weeks back in my lab and this is what I found.

Following are minimum commands that need to be permitted for a read only

account for ASA 8.0(4) and ASDM 6.1.x

On the ASA


aaa authorization command TACACS+ LOCAL

aaa accounting command TACACS+ (optional)

On the ACS


Go to shared profile component >> shell command authorization set > add new > for read only access.

Check the radio button to deny all.

Command ---- Argument

copy ---- Permit all unmatched arguments

dir ---- Permit disk0:/dap.xml

enable ---- Permit

Perfmon ---- Permit interval 10

show ---- Permit all unmatched arguments

write ---- Permit net

Now go to the group


Jump to tacacs+ settings

Shell(exec)......priv level 15

enable access.....priv level 15

and apply the shell set.

ACS Shell Command Authorization Sets on IOS and ASA/PIX/FWSM Configuration Example






This Discussion