Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2181
Views
0
Helpful
4
Replies

ASDM Read-Only access configuration in ACS 4.2

jagadeeshan.s
Level 1
Level 1

‎09-24-2009 01:23 AM - edited ‎03-10-2019 04:42 PM

Hi,

Is that possible to configure read-only access of ASA firewall in ACS 4.2; that too particularly for ASDM?

Read-only is working fine for SSH protocol. But the customer requests for read-only access through ASDM.

Plz suggest a solution with detailed steps.

Many thanks!!

-Jags.

Labels:
0 Helpful
4 Replies 4

Bela Mareczky
Level 1
Level 1

‎09-24-2009 01:51 AM

Hi!

Please see the following link:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml

Hope this helps!

BR

Belabacsi

0 Helpful

jagadeeshan.s
Level 1
Level 1
In response to Bela Mareczky

‎09-24-2009 02:03 AM

Hi BR,

Our configuration is exactly similar like explained in the provided link. It works fine for SSH protocol (managing ASA firewall) but doesnt works with ASDM.

It keeps on asking the username & password.

-Jags.

0 Helpful

Bela Mareczky
Level 1
Level 1
In response to jagadeeshan.s

‎09-24-2009 03:17 AM

Hi!

The ASDM cannot access the ASA using the required commands, so I think, the Cisco ACS command authorization rules are misconfigured.

Please check that, the Cisco ACS permits the following commands:

show version

show curpriv

perfmon interval 10

show asdm sessions

show firewall

show mode

show running-config aaa authorization

show running-config

show running-config

show running-config route

show running-config interface

show resource rule

show blocks

show curpriv

show vlan

show running-config aaa authorization

show curpriv

show access-list brief

show access-list

Check that, the ASA AAA configuration contains "aaa authorization command [aaa server name] LOCAL" config.

You don't need to allow enable and shell exec privilege for this restricted ACS group.

Hope this helps!

Belabacsi

0 Helpful

Jatin Katyal
Cisco Employee
Cisco Employee
In response to Bela Mareczky

‎09-24-2009 04:32 AM

Hi Jags,

I did recreate the same scenario few weeks back in my lab and this is what I found.

Following are minimum commands that need to be permitted for a read only

account for ASA 8.0(4) and ASDM 6.1.x

On the ASA

==========

aaa authorization command TACACS+ LOCAL

aaa accounting command TACACS+ (optional)

On the ACS

==========

Go to shared profile component >> shell command authorization set > add new > for read only access.

Check the radio button to deny all.

Command ---- Argument

copy ---- Permit all unmatched arguments

dir ---- Permit disk0:/dap.xml

enable ---- Permit

Perfmon ---- Permit interval 10

show ---- Permit all unmatched arguments

write ---- Permit net

Now go to the group

===================

Jump to tacacs+ settings

Shell(exec)......priv level 15

enable access.....priv level 15

and apply the shell set.

ACS Shell Command Authorization Sets on IOS and ASA/PIX/FWSM Configuration Example

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a

00808d9138.shtml

HTH

Regards,

JK

~Jatin
0 Helpful
Customers Also Viewed These Support Documents