User-Role for editing access-lists in ASDM

Answered Question
May 3rd, 2010

Hi

We use a FWSM,  version 4.0(6) with ASDM, version 6.1(5)F

I need to build a userrole for a user who can just configure existing access-lists in ASDM. I decided to use privilege level 7 for that role.

First I created the ASDM defines user roles (Admin (15), read only (5) & monitor only (3)).

Then I tried to give a level 7 user access to the configuration of access-lists:

privilege cmd level 7 mode configure command configure

privilege cmd level 7 mode configure command access-list

But now, if I log in with ASDM as level 7 user I can see the access-lists (and everything else) but I'm not able to configure them.
What did I forget?
Thanks
Patrik
I have this problem too.
0 votes
Correct Answer by Panos Kampanakis about 6 years 7 months ago

With ASDM I am afraid not, you could do it with CLI and level 7 that you tried to do there. But ASDM will not honor it.

What you could do to hack it is to create a new level 15 user and do command authorization for that user. ASDM will let him do whatever he wants, but when he tries to push the commands the ASA will try to authorize these commands and fail all except for the ACL ones.

I hope it makes sense.

PK

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 5 (1 ratings)
Loading.
Panos Kampanakis Tue, 05/04/2010 - 08:54

ASDM will not understand level different than 3 ,5 and 15.

Even though it can be more granular for CLI command authorization, ASDM does not know about these user priv levels, so it will not enforce it.

PK

patrik.spiess Tue, 05/04/2010 - 22:53

PK,

Thanks for your answer. It's interresting to know that ASDM is just aware about levels 3, 5 & 15.

Now I decided to change the level 5 to give access to the access-list configuration.

privilege cmd level 5 mode configure command configure

privilege cmd level 5 mode configure command access-list

But even theese settings don't affect anything. A user 5 is still not able to configure access-lists in ASDM.

Does this mean that I cannot change the privileges for ASDM at all?

Thanks again

Patrik

Panos Kampanakis Wed, 05/05/2010 - 06:10

If you go into ASDM and go under AAA Authentication you will see a button that says something like "Set ADM privelege levels". Using that will move the commands to the levels that you need for ASDM to enforce it.

Note that ASDM 6.0 had a couple of defects related to this. The latest 6.2 versions work fine.

I hope it helps.

PK

patrik.spiess Thu, 05/06/2010 - 02:59

Unfortunately this doesn't help.

I already set the ASDM Levels (which are 3,5, & 15). But level 3 & 5 are not able to configure access-lists in ASDM, and I cannot give level 15 to our sysadmins.

I use ASDM 6.2(5) with my ASAs 8.2(2).

Question:

Is it possible to configure the privileges that someone is only able to configure access-lists and nothing else?

If yes, how can that be done?

Thanks

Patrik

Correct Answer
Panos Kampanakis Thu, 05/06/2010 - 10:10

With ASDM I am afraid not, you could do it with CLI and level 7 that you tried to do there. But ASDM will not honor it.

What you could do to hack it is to create a new level 15 user and do command authorization for that user. ASDM will let him do whatever he wants, but when he tries to push the commands the ASA will try to authorize these commands and fail all except for the ACL ones.

I hope it makes sense.

PK

Actions

This Discussion

Related Content