cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
768
Views
0
Helpful
4
Replies

AAA for ASA ASDM Monitoring

JAMES HAYNES
Level 1
Level 1

I want to setup a couple of users in TACACS using ACS 5.1 to only be able to login to the ASDM and monitor the device.

The documentation is a bit confusing from the ASA ASDM as it says:

1.TACACS+ users—Authorization is requested with the "service=shell" and the server responds with PASS or FAIL.

•PASS, privilege level 1—Allows full access to any services specified by the Authentication tab options.

•PASS, privilege level 2 and higher—Allows access to the CLI when you configure the Telnet or SSH authentication options, but denies ASDM configuration access if you configure the HTTP option. ASDM monitoring access is allowed. If you configure enable authentication with the Enable option, the user cannot access privileged EXEC mode using the enable command.

•FAIL—Denies management access. The user cannot use any services specified by the Authentication tab options (excluding the Serial option; serial access is allowed).

So in order to give them access to ASDM monitoring I need to give them a privilege level of 2, or higher which allows them to view but not configure.

However, a privilige level of 1 allows full access? Isn't this opposite of the way privilege levels work?

Isn't privilege 1 the lowest and 15 the highest?

Thanks,

Jim

4 Replies 4

Panos Kampanakis
Cisco Employee
Cisco Employee

Indeed level 1 is less than 15. and it should not be give access to ASDM.

There was an ASDM bug where it was not enforcing the levels and allowed even level 1 users to Monitor the device. So it could be that defect.

What ASDM version are you using?

PK

Hi PK,

The ASDM version is 6.1.5.

There may have been a bug but why would the documentation as I posted show privilge 1 as having full control?

Would you know what privilge level I need to assign in TACACS+ for the user to only have monitor priviliges.

Thanks,

Jim

The guide is a little confusing.

If ASDM pushes the command authorization priv levels then 1 will not be allowed either.

We might need to fix the guide. Can you give the link for this doc?

PK

Sure, when I am in ASDM and go to:

Device Management>Users/AAA>>AAA Access and then click help it opens a

webpage

where there is a section on limiting User CLI and ASDM Access with

Management Authorization

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: