How to authorize users to administer the Cisco ASA using Cisco ACS

Unanswered Question
Apr 20th, 2010
User Badges:

Hi,


I have 2 different type of admins. 1> Read/Only ; 2> Read/Write. I would want to restrict the Read/Only Admins from being given the 'Enable' privilege access.

I also understand that being in a User privileged mode would not give that many options to check things on the ASA. Hence, I would like to give access to all the 'Show' commands (that are in all modes) for these Read/Only users from their User exec mode.


Is this possible ? Please advise.


Question 2: Is it possible to change the Default Privilege level (Level 1) of the User Exec mode.


Regards,

Shridhar

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Panos Kampanakis Wed, 04/21/2010 - 20:50
User Badges:
  • Cisco Employee,

You can do that.


You can move commands around to certain privilege levels.


To enforce the  monitor, read-only, adin privileges with commands you can use ASDM and go under AAA authentication > Set Default User privilege levels button.


I hope it helps.


PK

shridhar_mk Fri, 04/23/2010 - 19:44
User Badges:

Hi PK,


Thanks for the response. I am setting up users in the ACS with either privilege level as 1 (No Enable privilege) or privilege 15 (Full Access). And, I want to make the below commands available for the users with No Enable privilege -


show access-list
show activation-key
show arp
show clock
show configuration
show conn
show counters
show cpu
show crashinfo
show curpriv
show debug
show disk0:
show h323
show interface
show logging
show module
show monitor-interface
show nameif
show names
show nat
show ntp
show perfmon
show processes
show route
show running-config
show service-policy
show sip
show skinny
show snmp-server
show startup-config
show tcpstat
show threat-detection
show traffic
show version
show xlate


Is this possible ?


Regards,

Shridhar

Actions

This Discussion