Re: ASDM AAA privileges

snowmizer · ‎08-24-2010

I am trying to set up AAA for managment on my ASA. I have the admin users up and working fine. Now I need to set up access so that my help desk users have the ability to monitor VPN sessions and log them out via the ASDM. I don't want them to be able to get the configuration tab at all and I don't want these users to have access to the CLI at all.

I created the local user I wanted and set the privilege level to 3 (selected "YES" to the "create predefined admin, read-only, monitor-only" prompt). I then went logged in as this user and the configuration tab was gone like I wanted. I then clicked on "Monitor" and "VPN". I could see the ssessions but the "logout" button was not available. I expected this so I modified the privilege levels for the vpn-sessiondb commands to a privilege level of 3. I tried logging in again but the logout button was still not available.

Can anyone tell me if this is possible?

Thanks.

Waris Hussain · ‎08-24-2010

Hi,

Not sure what is the ASDM version you are using but you might running into BUG CSCsz83205

Symptom:

Users with privilege level below 15 unable to logoff VPN sessions from ASDM.

Conditions:

ASA is not configured for 'command authorization'.

Workaround:

Use Command Line Interface to logoff VPN sessions.

I have ASDM 6.3 and I am able to see logout with priv level 3

Thanks

Waris Hussain.

snowmizer · ‎08-24-2010

Did you have to configure any special command privileges? I'm running ADSM v6.3(1). Unfortunately I can't see the bug track document right now. I'll check later to read it.