Cisco Support Community
Community Member

Implement strategy for ASA on TACACS w/ restricted read-only access

An ASA5550 will need to be configured to use TACACS AAA. Currently, the ASA is setup for local authentication. A couple of privilege 15 admin users and a few more privilege 5 read-only users.

ASA 5550

running ASA 8.2(2)

using ASDM 6.3(5)

authenticating to ACS 4.2

The admin users and read-only users already have established TACACS usernames and are in established TACACS user groups for logging into routers/switches.

What's the best way to implement configuration of the ASA and ACS server to maintain the same type of restrictions that's applied using the local database?

1. Try and avoid the creation of a second TACACS username for the admin and read-only users.

2. ACS allows restrictions on what devices can be access by users/groups. Possible to do reverse? Restrict what usernames can access a device in the ACS database.

Cisco Employee

Re: Implement strategy for ASA on TACACS w/ restricted read-only

If you want to configure ASA for read-only access via tacacs then you have to do the following task

ASA/PIX/FWSM Configuration

In addition to your preset configuration, these commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:

    aaa-server authserver protocol tacacs+
    aaa-server authserver host
    aaa authorization command authserver

On the ACS, you need to create command authorization set for only SHOW commands:

Associate command authorization set with user or group



Do rate helpful posts-

~Jatin Katyal
Community Member

Re: Implement strategy for ASA on TACACS w/ restricted read-only

I created a NDG (network device group) for my ASAs.

Is there a way within ACS where I can configure a NDG to be read-write access for certain specific user IDs while read-only for all other users?

CreatePlease to create content