ASDM Read-Only access configuration in ACS 4.2

Unanswered Question
Sep 24th, 2009
User Badges:

Hi,


Is that possible to configure read-only access of ASA firewall in ACS 4.2; that too particularly for ASDM?

Read-only is working fine for SSH protocol. But the customer requests for read-only access through ASDM.


Plz suggest a solution with detailed steps.


Many thanks!!


-Jags.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
jagadeeshan.s Thu, 09/24/2009 - 02:03
User Badges:

Hi BR,


Our configuration is exactly similar like explained in the provided link. It works fine for SSH protocol (managing ASA firewall) but doesnt works with ASDM.

It keeps on asking the username & password.


-Jags.



Bela Mareczky Thu, 09/24/2009 - 03:17
User Badges:

Hi!


The ASDM cannot access the ASA using the required commands, so I think, the Cisco ACS command authorization rules are misconfigured.


Please check that, the Cisco ACS permits the following commands:


show version

show curpriv

perfmon interval 10

show asdm sessions

show firewall

show mode

show running-config aaa authorization

show running-config

show running-config

show running-config route

show running-config interface

show resource rule

show blocks

show curpriv

show vlan

show running-config aaa authorization

show curpriv

show access-list brief

show access-list



Check that, the ASA AAA configuration contains "aaa authorization command [aaa server name] LOCAL" config.


You don't need to allow enable and shell exec privilege for this restricted ACS group.


Hope this helps!


Belabacsi


Jatin Katyal Thu, 09/24/2009 - 04:32
User Badges:
  • Cisco Employee,

Hi Jags,


I did recreate the same scenario few weeks back in my lab and this is what I found.


Following are minimum commands that need to be permitted for a read only

account for ASA 8.0(4) and ASDM 6.1.x


On the ASA

==========

aaa authorization command TACACS+ LOCAL

aaa accounting command TACACS+ (optional)



On the ACS

==========

Go to shared profile component >> shell command authorization set > add new > for read only access.


Check the radio button to deny all.


Command ---- Argument


copy ---- Permit all unmatched arguments


dir ---- Permit disk0:/dap.xml


enable ---- Permit


Perfmon ---- Permit interval 10


show ---- Permit all unmatched arguments


write ---- Permit net


Now go to the group

===================

Jump to tacacs+ settings


Shell(exec)......priv level 15

enable access.....priv level 15


and apply the shell set.


ACS Shell Command Authorization Sets on IOS and ASA/PIX/FWSM Configuration Example


http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a

00808d9138.shtml


HTH


Regards,

JK

Actions

This Discussion