AAA for ASA ASDM Monitoring

Unanswered Question
Jul 7th, 2010

I want to setup a couple of users in TACACS using ACS 5.1 to only be able to login to the ASDM and monitor the device.

The documentation is a bit confusing from the ASA ASDM as it says:

1.TACACS+ users—Authorization is requested with the "service=shell" and the server responds with PASS or FAIL.

•PASS, privilege level 1—Allows full access to any services specified by the Authentication tab options.

•PASS, privilege level 2 and higher—Allows access to the CLI when you configure the Telnet or SSH authentication options, but denies ASDM configuration access if you configure the HTTP option. ASDM monitoring access is allowed. If you configure enable authentication with the Enable option, the user cannot access privileged EXEC mode using the enable command.

•FAIL—Denies management access. The user cannot use any services specified by the Authentication tab options (excluding the Serial option; serial access is allowed).

So in order to give them access to ASDM monitoring I need to give them a privilege level of 2, or higher which allows them to view but not configure.

However, a privilige level of 1 allows full access? Isn't this opposite of the way privilege levels work?

Isn't privilege 1 the lowest and 15 the highest?



I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Panos Kampanakis Thu, 07/08/2010 - 14:17

Indeed level 1 is less than 15. and it should not be give access to ASDM.

There was an ASDM bug where it was not enforcing the levels and allowed even level 1 users to Monitor the device. So it could be that defect.

What ASDM version are you using?


JAMES HAYNES Fri, 07/09/2010 - 06:26

Hi PK,

The ASDM version is 6.1.5.

There may have been a bug but why would the documentation as I posted show privilge 1 as having full control?

Would you know what privilge level I need to assign in TACACS+ for the user to only have monitor priviliges.



Panos Kampanakis Fri, 07/09/2010 - 06:34

The guide is a little confusing.

If ASDM pushes the command authorization priv levels then 1 will not be allowed either.

We might need to fix the guide. Can you give the link for this doc?


JAMES HAYNES Fri, 07/09/2010 - 06:52

Sure, when I am in ASDM and go to:

Device Management>Users/AAA>>AAA Access and then click help it opens a


where there is a section on limiting User CLI and ASDM Access with

Management Authorization


This Discussion