ASA privilege levels/views

Answered Question
Sep 8th, 2010

Hi Guys,


Can anyone tell me if the ASA supports views in the same manner IOS does? If so, can you tell me what version this functionlaity was made available in?


TIA

Rgds

Scott

Correct Answer by golly_wog about 6 years 5 months ago

Hi Scott


No is the simple answer to your Q, the ASA does NOT support views.


Although if you want to restrict access to the device then you can use AAA, see the post above for details.


cheers

  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 4.5 (2 ratings)
Loading.
sachinga.hcl Thu, 09/09/2010 - 04:37

Hi Scott,


When you enable command authorization, then only you have the option of manually assigning privilege levels to individual commands or groups of commands.


---

To configure privilege access levels on cisco asa commands there are 4 steps involved in this  as follows:


1. Enable command authorization ( LOCAL in this case means , keep the command authorization configuration on the firewall ) :

aaa authorization command LOCAL


2. You can define commands you want to use on a certain level, for example these commands will enable a user in privilege level 5 to view and clear crypto tunnels


privilege show level 5 command crypto
privilege clear level 5 command crypto


3. Create a user and assign the privilege level to her/him :


username userName password userPass privilege 5


4. Create an enable password for the new privilege level :


enable password enablePass level 5


Now when the user logs in she/he can type :

enable 5


Enter the password from step for and they will be able to run the above crypto commands.

---
To add a user to the security appliance database, enter the username command in global configuration mode. To remove a user, use the no version of this command with the username you want to remove. To remove all usernames, use the no version of this command without appending a username.


username name {nopassword | password password [mschap | encrypted | nt-encrypted]} [privilege priv_level]


This privilege level is used with command authorization.

no username name

----------

In general you can use this version of username command as well for simple config:


username password privilege


e.i.  (lever 15 allows full EXEC mode access - as well as all ASDM features)


username sachingarg password HC!@%$#@! privilege 15


The default privilege level is 2.


Please remember as I have said above that access levels (1-15) aren't relevant much unless you authorize command authorization:


aaa authorization command LOCAL

---

Viewing Command Privilege Levels


The following commands let you view privilege levels for commands.


•To show all commands, enter the following command:

hostname(config)# show running-config all privilege all


•To show commands for a specific level, enter the following command:

hostname(config)# show running-config privilege level level


The level is an integer between 0 and 15.


•To show the level of a specific command, enter the following command:

hostname(config)# show running-config privilege command command


For example, for the show running-config all privilege all command, the system displays the current assignment of each CLI command to a privilege level. The following is sample output from the command.


hostname(config)# show running-config all privilege all
privilege show level 15 command aaa
privilege clear level 15 command aaa
privilege configure level 15 command aaa
privilege show level 15 command aaa-server
privilege clear level 15 command aaa-server
privilege configure level 15 command aaa-server
privilege show level 15 command access-group
privilege clear level 15 command access-group
privilege configure level 15 command access-group
privilege show level 15 command access-list
privilege clear level 15 command access-list
privilege configure level 15 command access-list
privilege show level 15 command activation-key
privilege configure level 15 command activation-key
....
The following command displays the command assignments for privilege level 10:


hostname(config)# show running-config privilege level 10
privilege show level 10 command aaa


The following command displays the command assignment for the access-list command:

hostname(config)# show running-config privilege command access-list
privilege show level 15 command access-list
privilege clear level 15 command access-list
privilege configure level 15 command access-list


ciscoasa5520# show run all username
ciscoasa5520# show run all privilege | grep pwd

-----

Kindly find some useful references in this regard as follows:
username  cli syntax
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1568449


Additional reference for aaa authorization command
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1537175


For ASDM:
http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/devaccss.html


Managing System Access (best for beginners)
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgaccess.html#wp1042040


You can configure privilege levels on the ASA through the AAA configuration.  Take a look at:
http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/devaccss.html



For Master Collection of  Cisco ASA Config  Examples links kindly refer the following URL:


And seek more examples in the secion for Authentication, Authorization and Accounting (AAA) :


Please keep in touch for any further query in this regard. Please rate if you find the above mentioned information of any use to you.


HTH


Sachin Garg


Message was edited by: sachinga.hcl

Scott Cannon Thu, 09/09/2010 - 16:11

Hi Sachin,


Appreciate your effort in this post, most informative however it doesnt address my question. Ie. Does the ASA support views/roles, as IOS does?


Thanks

Rgds

Scott

Correct Answer
golly_wog Thu, 09/09/2010 - 14:24

Hi Scott


No is the simple answer to your Q, the ASA does NOT support views.


Although if you want to restrict access to the device then you can use AAA, see the post above for details.


cheers

Scott Cannon Thu, 09/09/2010 - 16:12

Thanks Golly, not the answer I wanted to hear but appreciated all the same.


Rgds

Scott

Actions

This Discussion