I want to setup a couple of users in TACACS using ACS 5.1 to only be able to login to the ASDM and monitor the device.
The documentation is a bit confusing from the ASA ASDM as it says:
1.TACACS+ users—Authorization is requested with the "service=shell" and the server responds with PASS or FAIL.
•PASS, privilege level 1—Allows full access to any services specified by the Authentication tab options.
•PASS, privilege level 2 and higher—Allows access to the CLI when you configure the Telnet or SSH authentication options, but denies ASDM configuration access if you configure the HTTP option. ASDM monitoring access is allowed. If you configure enable authentication with the Enable option, the user cannot access privileged EXEC mode using the enable command.
•FAIL—Denies management access. The user cannot use any services specified by the Authentication tab options (excluding the Serial option; serial access is allowed).
So in order to give them access to ASDM monitoring I need to give them a privilege level of 2, or higher which allows them to view but not configure.
However, a privilige level of 1 allows full access? Isn't this opposite of the way privilege levels work?
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
[toc:faq]Introduction:This document describes details on how NAT-T
works.Background:ESP encrypts all critical information, encapsulating
the entire inner TCP/UDP datagram within an ESP header. ESP is an IP
protocol in the same sense that TCP and UDP are I...