How to authorize users to administer the Cisco ASA using Cisco ACS

Unanswered Question
Apr 20th, 2010
User Badges:


I have 2 different type of admins. 1> Read/Only ; 2> Read/Write. I would want to restrict the Read/Only Admins from being given the 'Enable' privilege access.

I also understand that being in a User privileged mode would not give that many options to check things on the ASA. Hence, I would like to give access to all the 'Show' commands (that are in all modes) for these Read/Only users from their User exec mode.

Is this possible ? Please advise.

Question 2: Is it possible to change the Default Privilege level (Level 1) of the User Exec mode.



  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Wed, 04/21/2010 - 20:50
User Badges:
  • Cisco Employee,

You can do that.

You can move commands around to certain privilege levels.

To enforce the  monitor, read-only, adin privileges with commands you can use ASDM and go under AAA authentication > Set Default User privilege levels button.

I hope it helps.


shridhar_mk Fri, 04/23/2010 - 19:44
User Badges:

Hi PK,

Thanks for the response. I am setting up users in the ACS with either privilege level as 1 (No Enable privilege) or privilege 15 (Full Access). And, I want to make the below commands available for the users with No Enable privilege -

show access-list
show activation-key
show arp
show clock
show configuration
show conn
show counters
show cpu
show crashinfo
show curpriv
show debug
show disk0:
show h323
show interface
show logging
show module
show monitor-interface
show nameif
show names
show nat
show ntp
show perfmon
show processes
show route
show running-config
show service-policy
show sip
show skinny
show snmp-server
show startup-config
show tcpstat
show threat-detection
show traffic
show version
show xlate

Is this possible ?




This Discussion