Cisco Support Community
Showing results for 
Search instead for 
Did you mean: 

You may experience some slow load times, errors, and slight inconsistencies. We ask for your patience as we finalize the launch. Thank you.

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. If you'd prefer to explore, try our beta test area to get started.

New Member

ASDM Read-Only access configuration in ACS 4.2


Is that possible to configure read-only access of ASA firewall in ACS 4.2; that too particularly for ASDM?

Read-only is working fine for SSH protocol. But the customer requests for read-only access through ASDM.

Plz suggest a solution with detailed steps.

Many thanks!!


  • AAA Identity and NAC
New Member

Re: ASDM Read-Only access configuration in ACS 4.2

New Member

Re: ASDM Read-Only access configuration in ACS 4.2

Hi BR,

Our configuration is exactly similar like explained in the provided link. It works fine for SSH protocol (managing ASA firewall) but doesnt works with ASDM.

It keeps on asking the username & password.


New Member

Re: ASDM Read-Only access configuration in ACS 4.2


The ASDM cannot access the ASA using the required commands, so I think, the Cisco ACS command authorization rules are misconfigured.

Please check that, the Cisco ACS permits the following commands:

show version

show curpriv

perfmon interval 10

show asdm sessions

show firewall

show mode

show running-config aaa authorization

show running-config

show running-config

show running-config route

show running-config interface

show resource rule

show blocks

show curpriv

show vlan

show running-config aaa authorization

show curpriv

show access-list brief

show access-list

Check that, the ASA AAA configuration contains "aaa authorization command [aaa server name] LOCAL" config.

You don't need to allow enable and shell exec privilege for this restricted ACS group.

Hope this helps!


Cisco Employee

Re: ASDM Read-Only access configuration in ACS 4.2

Hi Jags,

I did recreate the same scenario few weeks back in my lab and this is what I found.

Following are minimum commands that need to be permitted for a read only

account for ASA 8.0(4) and ASDM 6.1.x

On the ASA


aaa authorization command TACACS+ LOCAL

aaa accounting command TACACS+ (optional)

On the ACS


Go to shared profile component >> shell command authorization set > add new > for read only access.

Check the radio button to deny all.

Command ---- Argument

copy ---- Permit all unmatched arguments

dir ---- Permit disk0:/dap.xml

enable ---- Permit

Perfmon ---- Permit interval 10

show ---- Permit all unmatched arguments

write ---- Permit net

Now go to the group


Jump to tacacs+ settings

Shell(exec)......priv level 15

enable access.....priv level 15

and apply the shell set.

ACS Shell Command Authorization Sets on IOS and ASA/PIX/FWSM Configuration Example





~BR Jatin Katyal **Do rate helpful posts**