Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
732
Views
0
Helpful
3
Replies

How to authorize users to administer the Cisco ASA using Cisco ACS

shridhar_mk
Level 1
Level 1

‎04-20-2010 06:49 AM - edited ‎03-10-2019 05:04 PM

Hi,

I have 2 different type of admins. 1> Read/Only ; 2> Read/Write. I would want to restrict the Read/Only Admins from being given the 'Enable' privilege access.

I also understand that being in a User privileged mode would not give that many options to check things on the ASA. Hence, I would like to give access to all the 'Show' commands (that are in all modes) for these Read/Only users from their User exec mode.

Is this possible ? Please advise.

Question 2: Is it possible to change the Default Privilege level (Level 1) of the User Exec mode.

Regards,

Shridhar

Labels:
0 Helpful
3 Replies 3

Panos Kampanakis
Cisco Employee
Cisco Employee

‎04-21-2010 08:50 PM

You can do that.

You can move commands around to certain privilege levels.

To enforce the  monitor, read-only, adin privileges with commands you can use ASDM and go under AAA authentication > Set Default User privilege levels button.

I hope it helps.

PK

0 Helpful

shridhar_mk
Level 1
Level 1
In response to Panos Kampanakis

‎04-23-2010 07:44 PM

Hi PK,

Thanks for the response. I am setting up users in the ACS with either privilege level as 1 (No Enable privilege) or privilege 15 (Full Access). And, I want to make the below commands available for the users with No Enable privilege -

show access-list
show activation-key
show arp
show clock
show configuration
show conn
show counters
show cpu
show crashinfo
show curpriv
show debug
show disk0:
show h323
show interface
show logging
show module
show monitor-interface
show nameif
show names
show nat
show ntp
show perfmon
show processes
show route
show running-config
show service-policy
show sip
show skinny
show snmp-server
show startup-config
show tcpstat
show threat-detection
show traffic
show version
show xlate

Is this possible ?

Regards,

Shridhar

0 Helpful

Panos Kampanakis
Cisco Employee
Cisco Employee
In response to shridhar_mk

‎04-26-2010 07:34 AM

Yes that can be done.

Though you would need enable password authentication to be able to do it

Here is a guide that will help you

http://www.cisco.mn/en/US/docs/security/asa/asa70/configuration/guide/mgaccess.html#wp1042041

I hope it helps,

PK

0 Helpful
Customers Also Viewed These Support Documents