Implement strategy for ASA on TACACS w/ restricted read-only access

axa-wongjeff · ‎08-06-2010

An ASA5550 will need to be configured to use TACACS AAA. Currently, the ASA is setup for local authentication. A couple of privilege 15 admin users and a few more privilege 5 read-only users.

ASA 5550

running ASA 8.2(2)

using ASDM 6.3(5)

authenticating to ACS 4.2

The admin users and read-only users already have established TACACS usernames and are in established TACACS user groups for logging into routers/switches.

What's the best way to implement configuration of the ASA and ACS server to maintain the same type of restrictions that's applied using the local database?

1. Try and avoid the creation of a second TACACS username for the admin and read-only users.

2. ACS allows restrictions on what devices can be access by users/groups. Possible to do reverse? Restrict what usernames can access a device in the ACS database.

Jatin Katyal · ‎08-07-2010

If you want to configure ASA for read-only access via tacacs then you have to do the following task

ASA/PIX/FWSM Configuration

In addition to your preset configuration, these commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:

    aaa-server authserver protocol tacacs+
    aaa-server authserver host 10.1.1.1
    aaa authorization command authserver

On the ACS, you need to create command authorization set for only SHOW commands:

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#scenario2

Associate command authorization set with user or group

http://www.cisco.com/en/US/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml#asso2

Regards,

Jatin

Do rate helpful posts-

~Jatin

axa-wongjeff · ‎08-09-2010

I created a NDG (network device group) for my ASAs.

Is there a way within ACS where I can configure a NDG to be read-write access for certain specific user IDs while read-only for all other users?