Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Users might experience few discrepancies in Search results. We are working on this on our side. We apologize for the inconvenience it may have caused.
New Member

AAA - ASA, ASDM and Command Sets Authorization

Hi,

I want to be able to control the configuration the users change from both ASDM and ssh session with the ASA in multi context mode.

I am able to get what I want without the use of the ACS (currently using version 4.2 on Windows)

I am doing, what I think, is the right configuration but if anyone has any pointers also if anyone has done this previously any assistance would be appreciated.

I have created the PIX Command Set on the ACS and looks good but does not work, or it works to well and I am unable to change or even show anything within the context as I get Authorisation error.

Thanks.


Regards,

Andrew

5 REPLIES

Re: AAA - ASA, ASDM and Command Sets Authorization

Andrew,

To configure command authorization on the ASA in such a way so that specific users have read only access to ASA/ASDM. following needs to be configured, ACS configuration:  Go to shared profile component > shell command authorization > Edit/add the authorization set and make sure

we have these command and respective argument available there. Command               Argument copy                  Permit all unmatched arguments dir                     Permit disk0:/dap.xml enable               Permit Perfmon           Permit interval 10 show                 Permit all unmatched arguments write                  Permit net In addition, these commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server: aaa-server authserver protocol tacacs+ aaa-server authserver host x.x.x.x aaa authorization command authserver

Regards,

~JG

Do rate helpful posts


New Member

Re: AAA - ASA, ASDM and Command Sets Authorization

Hi JG,

Thanks for the reply.

I have been able to get that functionality working ok but what I actually need is a cut down priv 15 set of commands as I want the users to be able to configure from both ASDM and ssh access but only certain commands.

It seems that when I go any further on this I lock myself out of the context and have to start over again.

Any assistance with this would be appreciated.

Thanks.

Andrew

Re: AAA - ASA, ASDM and Command Sets Authorization

Andrew,

No need to make any change in the pril lvl. Give all user a priv lvl of 15 and then control access via command authorization feature. Command authorization works over priv lvl so even if user priv is 15, it does not mean that user will be able to execute all commands.

User can only execute commands that are listed in the command set.

Regards,

~JG

Do rate helpful posts

New Member

Re: AAA - ASA, ASDM and Command Sets Authorization

Hi JG,

I understand this but am still getting the following error even though the command is allowed;

command unknown: service=shell cmd=show version

This is seen on the ACS server when trying to bring up ASDM for the said context.

Not sure why as the command is allowed and I have even allowed all commads, by bypassing the PIX/ASA Command Authorisation Sets. 

Any ideas?

Will be trying a few other configurations and see what happens.

Thanks.


Andrew

New Member

Hey Guys,  I had the same

Hey Guys, 

 

I had the same thing happen when moving to a new ACS Server.  I  had also just switched from ACS authentication to AD Domain authentication.  

I had to define the max Priv level for each group under enable options.

 

Group setup>enable options>Define max Privilege on a per network device group basis> add each device group with priv set to 15.  

1257
Views
0
Helpful
5
Replies
CreatePlease to create content