AAA - ASA, ASDM and Command Sets Authorization

Andrew Richardson · ‎10-19-2010

Hi,

I want to be able to control the configuration the users change from both ASDM and ssh session with the ASA in multi context mode.

I am able to get what I want without the use of the ACS (currently using version 4.2 on Windows)

I am doing, what I think, is the right configuration but if anyone has any pointers also if anyone has done this previously any assistance would be appreciated.

I have created the PIX Command Set on the ACS and looks good but does not work, or it works to well and I am unable to change or even show anything within the context as I get Authorisation error.

Thanks.

Regards,

Andrew

Jagdeep Gambhir · ‎10-19-2010

Andrew,

To configure command authorization on the ASA in such a way so that specific users have read only access to ASA/ASDM. following needs to be configured, ACS configuration: Go to shared profile component > shell command authorization > Edit/add the authorization set and make sure

we have these command and respective argument available there. Command Argument copy Permit all unmatched arguments dir Permit disk0:/dap.xml enable Permit Perfmon Permit interval 10 show Permit all unmatched arguments write Permit net In addition, these commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server: aaa-server authserver protocol tacacs+ aaa-server authserver host x.x.x.x aaa authorization command authserver

Regards,

~JG

Do rate helpful posts

Andrew Richardson · ‎10-20-2010

Hi JG,

Thanks for the reply.

I have been able to get that functionality working ok but what I actually need is a cut down priv 15 set of commands as I want the users to be able to configure from both ASDM and ssh access but only certain commands.

It seems that when I go any further on this I lock myself out of the context and have to start over again.

Any assistance with this would be appreciated.

Thanks.

Andrew

Jagdeep Gambhir · ‎10-20-2010

Andrew,

No need to make any change in the pril lvl. Give all user a priv lvl of 15 and then control access via command authorization feature. Command authorization works over priv lvl so even if user priv is 15, it does not mean that user will be able to execute all commands.

User can only execute commands that are listed in the command set.

Regards,

~JG

Do rate helpful posts

Andrew Richardson · ‎10-20-2010

Hi JG,

I understand this but am still getting the following error even though the command is allowed;

command unknown: service=shell cmd=show version

This is seen on the ACS server when trying to bring up ASDM for the said context.

Not sure why as the command is allowed and I have even allowed all commads, by bypassing the PIX/ASA Command Authorisation Sets.

Any ideas?

Will be trying a few other configurations and see what happens.

Thanks.

Andrew

ezlg · ‎08-29-2014

Hey Guys,

I had the same thing happen when moving to a new ACS Server. I had also just switched from ACS authentication to AD Domain authentication.

I had to define the max Priv level for each group under enable options.

Group setup>enable options>Define max Privilege on a per network device group basis> add each device group with priv set to 15.