09-08-2010 09:56 PM - edited 03-11-2019 11:37 AM
Hi Guys,
Can anyone tell me if the ASA supports views in the same manner IOS does? If so, can you tell me what version this functionlaity was made available in?
TIA
Rgds
Scott
Solved! Go to Solution.
09-09-2010 02:24 PM
Hi Scott
No is the simple answer to your Q, the ASA does NOT support views.
Although if you want to restrict access to the device then you can use AAA, see the post above for details.
cheers
09-09-2010 04:37 AM
Hi Scott,
When you enable command authorization, then only you have the option of manually assigning privilege levels to individual commands or groups of commands.
---
To configure privilege access levels on cisco asa commands there are 4 steps involved in this as follows:
1. Enable command authorization ( LOCAL in this case means , keep the command authorization configuration on the firewall ) :
aaa authorization command LOCAL
2. You can define commands you want to use on a certain level, for example these commands will enable a user in privilege level 5 to view and clear crypto tunnels
privilege show level 5 command crypto
privilege clear level 5 command crypto
3. Create a user and assign the privilege level to her/him :
username userName password userPass privilege 5
4. Create an enable password for the new privilege level :
enable password enablePass level 5
Now when the user logs in she/he can type :
enable 5
Enter the password from step for and they will be able to run the above crypto commands.
---
To add a user to the security appliance database, enter the username command in global configuration mode. To remove a user, use the no version of this command with the username you want to remove. To remove all usernames, use the no version of this command without appending a username.
username name {nopassword | password password [mschap | encrypted | nt-encrypted]} [privilege priv_level]
This privilege level is used with command authorization.
no username name
----------
In general you can use this version of username command as well for simple config:
username
e.i. (lever 15 allows full EXEC mode access - as well as all ASDM features)
username sachingarg password HC!@%$#@! privilege 15
The default privilege level is 2.
Please remember as I have said above that access levels (1-15) aren't relevant much unless you authorize command authorization:
aaa authorization command LOCAL
---
Viewing Command Privilege Levels
The following commands let you view privilege levels for commands.
•To show all commands, enter the following command:
hostname(config)# show running-config all privilege all
•To show commands for a specific level, enter the following command:
hostname(config)# show running-config privilege level level
The level is an integer between 0 and 15.
•To show the level of a specific command, enter the following command:
hostname(config)# show running-config privilege command command
For example, for the show running-config all privilege all command, the system displays the current assignment of each CLI command to a privilege level. The following is sample output from the command.
hostname(config)# show running-config all privilege all
privilege show level 15 command aaa
privilege clear level 15 command aaa
privilege configure level 15 command aaa
privilege show level 15 command aaa-server
privilege clear level 15 command aaa-server
privilege configure level 15 command aaa-server
privilege show level 15 command access-group
privilege clear level 15 command access-group
privilege configure level 15 command access-group
privilege show level 15 command access-list
privilege clear level 15 command access-list
privilege configure level 15 command access-list
privilege show level 15 command activation-key
privilege configure level 15 command activation-key
....
The following command displays the command assignments for privilege level 10:
hostname(config)# show running-config privilege level 10
privilege show level 10 command aaa
The following command displays the command assignment for the access-list command:
hostname(config)# show running-config privilege command access-list
privilege show level 15 command access-list
privilege clear level 15 command access-list
privilege configure level 15 command access-list
ciscoasa5520# show run all username
ciscoasa5520# show run all privilege | grep pwd
-----
Kindly find some useful references in this regard as follows:
username cli syntax
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1568449
Additional reference for aaa authorization command
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1537175
For ASDM:
http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/devaccss.html
Managing System Access (best for beginners)
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgaccess.html#wp1042040
You can configure privilege levels on the ASA through the AAA configuration. Take a look at:
http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/devaccss.html
For Master Collection of Cisco ASA Config Examples links kindly refer the following URL:
Please keep in touch for any further query in this regard. Please rate if you find the above mentioned information of any use to you.
HTH
Sachin Garg
Message was edited by: sachinga.hcl
09-09-2010 04:11 PM
Hi Sachin,
Appreciate your effort in this post, most informative however it doesnt address my question. Ie. Does the ASA support views/roles, as IOS does?
Thanks
Rgds
Scott
11-10-2017 07:51 AM
Thank you for not only answering the question, but providing the equivalent to IOS VIEWS in ASA using the PRIVILEGE command. Very thorough.
09-09-2010 02:24 PM
Hi Scott
No is the simple answer to your Q, the ASA does NOT support views.
Although if you want to restrict access to the device then you can use AAA, see the post above for details.
cheers
09-09-2010 04:12 PM
Thanks Golly, not the answer I wanted to hear but appreciated all the same.
Rgds
Scott
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: