01-04-2010 09:17 AM - edited 03-11-2019 09:53 AM
Can you configure user account permissions that apply to ASDM interface from the CLI? For instance, I need to gove someone red only access to the ASDM so they can view but cannot make changes to the config.
Can this be done using the CLI?
Mario
Solved! Go to Solution.
01-04-2010 02:01 PM
You can't get more granular than that.
ASDM recognizes 3 types of user priv, 2, 5 and 15 (monitor, read-only, admin respecitvely).
You can move commands to different levels but that will correspond only to CLI. ASDM will recognize only the levels above for the functions/commands it does. If you move commands up and down ASDM will try to do its best and when it tries to apply a command that has been arbitrarily moved it will throw an error.
PK
01-04-2010 09:22 AM
Yes, that will be used of priv level 5.
ASDM helps you configure it. If you go to Device MAnagement > AAA Access > Authorization ? Set ASDM Defined User roles then you can assign priv 5 to a user and that user will be able to only read in ASDM.
I hope it helps.
PK
01-04-2010 09:28 AM
thanks for the quick response.
do you know if you can configure this from the CLI rather than from the ASDM?
and do you know if those permissions apply to the user both when logged in to the ASDM and the CLI???
Mario
01-04-2010 10:01 AM
Yes, the apply for ASDM and CLI. Users of priv 5 will be able to run only the commands that are of priv 5.
The commands ASDM will push for the priv levels are
privilege show level 3 mode configure command aaa
privilege show level 3 mode exec command aaa
privilege clear level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa-server
privilege clear level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode configure command access-list
privilege show level 3 mode exec command access-list
privilege clear level 3 mode configure command arp
privilege show level 3 mode configure command arp
privilege clear level 3 mode exec command arp
privilege show level 3 mode exec command arp
privilege show level 5 mode configure command asdm
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command blocks
privilege show level 3 mode configure command clock
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command compression
privilege show level 3 mode exec command cpu
privilege clear level 3 mode configure command crypto
privilege show level 3 mode configure command crypto
privilege clear level 3 mode exec command crypto
privilege show level 3 mode exec command crypto
privilege show level 3 mode configure command dhcpd
privilege show level 3 mode exec command dhcpd
privilege clear level 3 mode exec command dns-hosts
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command eigrp
privilege cmd level 3 mode configure command failover
privilege show level 3 mode configure command failover
privilege cmd level 3 mode exec command failover
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command firewall
privilege show level 5 mode exec command import
privilege show level 3 mode configure command interface
privilege show level 3 mode exec command interface
privilege show level 3 mode configure command ip
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege clear level 3 mode configure command logging
privilege show level 3 mode configure command logging
privilege clear level 3 mode exec command logging
privilege cmd level 3 mode exec command logging
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command module
privilege show level 3 mode exec command ospf
privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege show level 5 mode configure command privilege
privilege show level 3 mode exec command reload
privilege show level 3 mode configure command route
privilege show level 3 mode exec command route
privilege show level 5 mode exec command running-config
privilege show level 3 mode configure command ssh
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command webvpn
privilege cmd level 3 mode exec command who
I hope it helps.
PK
06-04-2010 01:50 PM
Hi PK
I tried seeting user Bob to level 5, both via ASDM and via command line. I confirmed it via looking at username. but when i login as Bob, I can still change descriptions on the FW rule set. any thoughts? thanks. jimmyc
11-19-2019 02:03 AM
01-04-2010 10:28 AM
Hi,
You could also try this.
aaa authentication http console LOCAL
(Config)# username test password test
(Config)# username test attribute
(Config-username)# service-type nas-prompt
Regards,
Suresh
01-04-2010 01:55 PM
Thanks,
i'm getting there now. I have a strange issue where if i set a user a privilege level of 1, they can access the configuration tab of the ASDM but all configuration is blank.
no firewall rules, network objects, vpn profiles. NOTHING.
Then the moment i change the privilege level to 2 or higher, the user has no access to the config tab at all. I'd like to raise the privilege level for accessing the Configuration tab so that i can configure more granular access.
Do you know how to do this? Is it one of the privilege commands posted previously?
Mario
01-04-2010 02:01 PM
You can't get more granular than that.
ASDM recognizes 3 types of user priv, 2, 5 and 15 (monitor, read-only, admin respecitvely).
You can move commands to different levels but that will correspond only to CLI. ASDM will recognize only the levels above for the functions/commands it does. If you move commands up and down ASDM will try to do its best and when it tries to apply a command that has been arbitrarily moved it will throw an error.
PK
01-04-2010 02:22 PM
thanks for your help guys...
i managed to find the show run privilege command which displayed all the privileges and allows me to config everything as i need!!
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgaccess.html#wp1042016
Cheers!!
Mario
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: