04-20-2010 06:49 AM - edited 03-10-2019 05:04 PM
Hi,
I have 2 different type of admins. 1> Read/Only ; 2> Read/Write. I would want to restrict the Read/Only Admins from being given the 'Enable' privilege access.
I also understand that being in a User privileged mode would not give that many options to check things on the ASA. Hence, I would like to give access to all the 'Show' commands (that are in all modes) for these Read/Only users from their User exec mode.
Is this possible ? Please advise.
Question 2: Is it possible to change the Default Privilege level (Level 1) of the User Exec mode.
Regards,
Shridhar
04-21-2010 08:50 PM
You can do that.
You can move commands around to certain privilege levels.
To enforce the monitor, read-only, adin privileges with commands you can use ASDM and go under AAA authentication > Set Default User privilege levels button.
I hope it helps.
PK
04-23-2010 07:44 PM
Hi PK,
Thanks for the response. I am setting up users in the ACS with either privilege level as 1 (No Enable privilege) or privilege 15 (Full Access). And, I want to make the below commands available for the users with No Enable privilege -
show access-list
show activation-key
show arp
show clock
show configuration
show conn
show counters
show cpu
show crashinfo
show curpriv
show debug
show disk0:
show h323
show interface
show logging
show module
show monitor-interface
show nameif
show names
show nat
show ntp
show perfmon
show processes
show route
show running-config
show service-policy
show sip
show skinny
show snmp-server
show startup-config
show tcpstat
show threat-detection
show traffic
show version
show xlate
Is this possible ?
Regards,
Shridhar
04-26-2010 07:34 AM
Yes that can be done.
Though you would need enable password authentication to be able to do it
Here is a guide that will help you
http://www.cisco.mn/en/US/docs/security/asa/asa70/configuration/guide/mgaccess.html#wp1042041
I hope it helps,
PK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide