I want to setup a couple of users in TACACS using ACS 5.1 to only be able to login to the ASDM and monitor the device.
The documentation is a bit confusing from the ASA ASDM as it says:
1.TACACS+ users—Authorization is requested with the "service=shell" and the server responds with PASS or FAIL.
•PASS, privilege level 1—Allows full access to any services specified by the Authentication tab options.
•PASS, privilege level 2 and higher—Allows access to the CLI when you configure the Telnet or SSH authentication options, but denies ASDM configuration access if you configure the HTTP option. ASDM monitoring access is allowed. If you configure enable authentication with the Enable option, the user cannot access privileged EXEC mode using the enable command.
•FAIL—Denies management access. The user cannot use any services specified by the Authentication tab options (excluding the Serial option; serial access is allowed).
So in order to give them access to ASDM monitoring I need to give them a privilege level of 2, or higher which allows them to view but not configure.
However, a privilige level of 1 allows full access? Isn't this opposite of the way privilege levels work?
Isn't privilege 1 the lowest and 15 the highest?