ASDM AAA privileges

Unanswered Question
Aug 24th, 2010

I am trying to set up AAA for managment on my ASA. I have the admin users up and working fine. Now I need to set up access so that my help desk users have the ability to monitor VPN sessions and log them out via the ASDM. I don't want them to be able to get the configuration tab at all and I don't want these users to have access to the CLI at all.


I created the local user I wanted and set the privilege level to 3 (selected "YES" to the "create predefined admin, read-only, monitor-only" prompt). I then went logged in as this user and the configuration tab was gone like I wanted. I then clicked on "Monitor" and "VPN". I could see the ssessions but the "logout" button was not available. I expected this so I modified the privilege levels for the vpn-sessiondb commands to a privilege level of 3. I tried logging in again but the logout button was still not available.


Can anyone tell me if this is possible?


Thanks.

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
Waris Hussain Tue, 08/24/2010 - 13:16

Hi,

Not sure what is the ASDM version you are using but you might running into BUG CSCsz83205


Symptom:

Users with privilege level below 15 unable to logoff VPN sessions from ASDM.

Conditions:

ASA is not configured for 'command authorization'.

Workaround:

Use Command Line Interface to logoff VPN sessions.


I have ASDM 6.3 and I am able to see logout with priv level 3


Thanks

Waris Hussain.

snowmizer Tue, 08/24/2010 - 13:50

Did you have to configure any special command privileges? I'm running ADSM v6.3(1). Unfortunately I can't see the bug track document right now. I'll check later to read it.

Actions

This Discussion