cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1821
Views
0
Helpful
6
Replies

User-Role for editing access-lists in ASDM

patrik.spiess
Level 1
Level 1

Hi

We use a FWSM,  version 4.0(6) with ASDM, version 6.1(5)F

I need to build a userrole for a user who can just configure existing access-lists in ASDM. I decided to use privilege level 7 for that role.

First I created the ASDM defines user roles (Admin (15), read only (5) & monitor only (3)).

Then I tried to give a level 7 user access to the configuration of access-lists:

privilege cmd level 7 mode configure command configure

privilege cmd level 7 mode configure command access-list

But now, if I log in with ASDM as level 7 user I can see the access-lists (and everything else) but I'm not able to configure them.
What did I forget?
Thanks
Patrik
1 Accepted Solution

Accepted Solutions

With ASDM I am afraid not, you could do it with CLI and level 7 that you tried to do there. But ASDM will not honor it.

What you could do to hack it is to create a new level 15 user and do command authorization for that user. ASDM will let him do whatever he wants, but when he tries to push the commands the ASA will try to authorize these commands and fail all except for the ACL ones.

I hope it makes sense.

PK

View solution in original post

6 Replies 6

Panos Kampanakis
Cisco Employee
Cisco Employee

ASDM will not understand level different than 3 ,5 and 15.

Even though it can be more granular for CLI command authorization, ASDM does not know about these user priv levels, so it will not enforce it.

PK

PK,

Thanks for your answer. It's interresting to know that ASDM is just aware about levels 3, 5 & 15.

Now I decided to change the level 5 to give access to the access-list configuration.

privilege cmd level 5 mode configure command configure

privilege cmd level 5 mode configure command access-list

But even theese settings don't affect anything. A user 5 is still not able to configure access-lists in ASDM.

Does this mean that I cannot change the privileges for ASDM at all?

Thanks again

Patrik

If you go into ASDM and go under AAA Authentication you will see a button that says something like "Set ADM privelege levels". Using that will move the commands to the levels that you need for ASDM to enforce it.

Note that ASDM 6.0 had a couple of defects related to this. The latest 6.2 versions work fine.

I hope it helps.

PK

Unfortunately this doesn't help.

I already set the ASDM Levels (which are 3,5, & 15). But level 3 & 5 are not able to configure access-lists in ASDM, and I cannot give level 15 to our sysadmins.

I use ASDM 6.2(5) with my ASAs 8.2(2).

Question:

Is it possible to configure the privileges that someone is only able to configure access-lists and nothing else?

If yes, how can that be done?

Thanks

Patrik

With ASDM I am afraid not, you could do it with CLI and level 7 that you tried to do there. But ASDM will not honor it.

What you could do to hack it is to create a new level 15 user and do command authorization for that user. ASDM will let him do whatever he wants, but when he tries to push the commands the ASA will try to authorize these commands and fail all except for the ACL ones.

I hope it makes sense.

PK

PK,

Thanks for your clarification.

Patrik

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: