Implement strategy for ASA on TACACS w/ restricted read-only access

Unanswered Question
Aug 6th, 2010

An ASA5550 will need to be configured to use TACACS AAA. Currently, the ASA is setup for local authentication. A couple of privilege 15 admin users and a few more privilege 5 read-only users.

ASA 5550

running ASA 8.2(2)

using ASDM 6.3(5)

authenticating to ACS 4.2

The admin users and read-only users already have established TACACS usernames and are in established TACACS user groups for logging into routers/switches.

What's the best way to implement configuration of the ASA and ACS server to maintain the same type of restrictions that's applied using the local database?

1. Try and avoid the creation of a second TACACS username for the admin and read-only users.

2. ACS allows restrictions on what devices can be access by users/groups. Possible to do reverse? Restrict what usernames can access a device in the ACS database.

I have this problem too.
0 votes
  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Jatin Katyal Sat, 08/07/2010 - 07:26

If you want to configure ASA for read-only access via tacacs then you have to do the following task


ASA/PIX/FWSM Configuration

In addition to your preset configuration, these commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:

    aaa-server authserver protocol tacacs+
    aaa-server authserver host 10.1.1.1
    aaa authorization command authserver


On the ACS, you need to create command authorization set for only SHOW commands:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario2



Associate command authorization set with user or group

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#asso2


Regards,

Jatin


Do rate helpful posts-

axa-wongjeff Mon, 08/09/2010 - 10:47

I created a NDG (network device group) for my ASAs.

Is there a way within ACS where I can configure a NDG to be read-write access for certain specific user IDs while read-only for all other users?

Actions

This Discussion