08-06-2010 02:31 PM - edited 03-10-2019 05:18 PM
An ASA5550 will need to be configured to use TACACS AAA. Currently, the ASA is setup for local authentication. A couple of privilege 15 admin users and a few more privilege 5 read-only users.
ASA 5550
running ASA 8.2(2)
using ASDM 6.3(5)
authenticating to ACS 4.2
The admin users and read-only users already have established TACACS usernames and are in established TACACS user groups for logging into routers/switches.
What's the best way to implement configuration of the ASA and ACS server to maintain the same type of restrictions that's applied using the local database?
1. Try and avoid the creation of a second TACACS username for the admin and read-only users.
2. ACS allows restrictions on what devices can be access by users/groups. Possible to do reverse? Restrict what usernames can access a device in the ACS database.
08-07-2010 07:26 AM
If you want to configure ASA for read-only access via tacacs then you have to do the following task
ASA/PIX/FWSM Configuration
In addition to your preset configuration, these commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:
aaa-server authserver protocol tacacs+
aaa-server authserver host 10.1.1.1
aaa authorization command authserver
On the ACS, you need to create command authorization set for only SHOW commands:
Associate command authorization set with user or group
Regards,
Jatin
Do rate helpful posts-
08-09-2010 10:47 AM
I created a NDG (network device group) for my ASAs.
Is there a way within ACS where I can configure a NDG to be read-write access for certain specific user IDs while read-only for all other users?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide