Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ACS privilege level needed for ASDM view-only access?

I need to allow access to the ASDM for the ASA firewall but wanted to restrict the access level these users would have when connected. We're authenticating through the ACS server, rather than locally on the device. This ASDM access would be mainly to view the traffic on the firewalls, but not be allowed to make any changes.

Thanks in advance.

5 REPLIES

Re: ACS privilege level needed for ASDM view-only access?

You need to create a group user on ACS with read only to do this.

New Member

Re: ACS privilege level needed for ASDM view-only access?

Thanks for the advice. I did go into ACS and set up a "read-only" type group under the group setup menu, however when I open ASDM with this users credentials, he still has full access. I've listed what I changed below, if you see something I did wrong?

Under Enable Options, I selected Max Priv level 0.

Under Tacacs+ Settings, I selected Shell (exec) and priv level 0, and PIX Shell (pixshell) is also selected.

Everything else was left at the default. Then I added this updated group to this users ID, and selected user group settings.

Thanks again, Tony

Re: ACS privilege level needed for ASDM view-only access?

have you configued the asa with the below setting for asdm.

aaa authentication http console TACACS LOCAL

aaa authorization command TACACS LOCAL

aaa accounting command TACACS

aaa authentication secure-http-client

New Member

Re: ACS privilege level needed for ASDM view-only access?

Yup, it's in all the firewalls I'm trying to allow access to.

aaa-server tacacs+ protocol tacacs+

aaa authentication enable console tacacs+ LOCAL

aaa authentication telnet console tacacs+ LOCAL

aaa authentication ssh console tacacs+ LOCAL

aaa authentication http console tacacs+ LOCAL

aaa authorization command LOCAL

New Member

Re: ACS privilege level needed for ASDM view-only access?

What about NAR? I tried with Per Group Defined NAR, IP based restriction:

denied calling/point of access locations and I specified AAA client, port 443 and IP address of ASA to denie ASDM access? I use ACS 4.2

Is it possible like that? I want for one specific group to have priv lev 5 on CLI and NO access to ASDM.

756
Views
0
Helpful
5
Replies