A) Authentication has to be nominative with password enforcement policy
--> I'm using CS ACS v5.1 appliance with local user database on it
B) Every "network" user can be granted priviledge level 15
--> max user priviledged level is set to 15 in my authentication mechanism on ACS
C) A "network" user can log onto the network equipments (RTR, SW and FW) but having monitor access only first.
D) A "network" user can be granted priviledged level 15 after a second authentication which generates a log message
--> SNMP trap sent to supervision server
E) The user password and enable password have to be personal.
So, I need only 2 priviledged level:
- monitor (any level from 1 to 14. I set 7)
- admin (level 15)
For RTR, SW and FW (on CLI), it works as wanted: the "network" users connect to the equipment in monitor mode. They type "enable" and they use their private enable password to be granted priviledged level 15.
ASDM interface is requested by the customer.
For ASDM, as I were not able to satisfy the security policy, I apply this:
1- I activated Exec Shell Access authorization to get the default user priviledge level value from ACS
--> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 but I am able to change the parameter.
2- I activated LOCAL Command authorization (adding "ASDM defined User Roles")
--> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 and I can't push any modification.
--> The issue is that I can't push any modification on CLI either ... :-( because my user is stuck on "default priviledge level" 7 and can't get access to "max priviledge level 15" as defined on ACS when LOCAL authorization is set
(ok I go on my ACS and move the default priviledge level to 15 to restore an admin access to the ASA and apply 3- before resetting it to default priviledge level to 7)
3- I remove "aaa authorization enable console TACACS" to use local enable password
--> now I can't get admin access on ASDM: OK
--> and I can get admin access on CLI entering the local enable password
At the end, I satisfy my policy security tokens A to D but not E. That's a good compromise but do you see a solution to satisfy E either ?
DocumentationCode download linksGoalRequirementLimitationsSupported ISR
and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity
options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in
HA DocumentationCode download linksGoalRequirementLimitationsSupported
ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and
UCS-E Blades:Step by Step ConfigurationCo...
Question I am currently unable to specify "crypto keyring" command when
configuring VPN connection on my cisco 2901 router. The following
licenses have been activated on my router :