Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

How to authorize users to administer the Cisco ASA using Cisco ACS

Hi,

I have 2 different type of admins. 1> Read/Only ; 2> Read/Write. I would want to restrict the Read/Only Admins from being given the 'Enable' privilege access.

I also understand that being in a User privileged mode would not give that many options to check things on the ASA. Hence, I would like to give access to all the 'Show' commands (that are in all modes) for these Read/Only users from their User exec mode.

Is this possible ? Please advise.

Question 2: Is it possible to change the Default Privilege level (Level 1) of the User Exec mode.

Regards,

Shridhar

3 REPLIES
Cisco Employee

Re: How to authorize users to administer the Cisco ASA using Cis

You can do that.

You can move commands around to certain privilege levels.

To enforce the  monitor, read-only, adin privileges with commands you can use ASDM and go under AAA authentication > Set Default User privilege levels button.

I hope it helps.

PK

New Member

Re: How to authorize users to administer the Cisco ASA using Cis

Hi PK,

Thanks for the response. I am setting up users in the ACS with either privilege level as 1 (No Enable privilege) or privilege 15 (Full Access). And, I want to make the below commands available for the users with No Enable privilege -

show access-list
show activation-key
show arp
show clock
show configuration
show conn
show counters
show cpu
show crashinfo
show curpriv
show debug
show disk0:
show h323
show interface
show logging
show module
show monitor-interface
show nameif
show names
show nat
show ntp
show perfmon
show processes
show route
show running-config
show service-policy
show sip
show skinny
show snmp-server
show startup-config
show tcpstat
show threat-detection
show traffic
show version
show xlate

Is this possible ?

Regards,

Shridhar

Cisco Employee

Re: How to authorize users to administer the Cisco ASA using Cis

Yes that can be done.

Though you would need enable password authentication to be able to do it

Here is a guide that will help you

http://www.cisco.mn/en/US/docs/security/asa/asa70/configuration/guide/mgaccess.html#wp1042041

I hope it helps,

PK

400
Views
0
Helpful
3
Replies
CreatePlease to create content