Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements

Welcome to Cisco Support Community. We would love to have your feedback.

For an introduction to the new site, click here. And see here for current known issues.

New Member

ASA Read only User

Hello Everyone,

Can someon tell me the command for createing a user on an ASA 5500 running 7.2(3) that can only view the config but not make any changes?

Thanks in advance! All replies rated

1 ACCEPTED SOLUTION

Accepted Solutions

Re: ASA Read only User

Ok , you must be missing this statement, try with that user after you enter this in asa and let me know.

aaa authorization command LOCAL

Additional reference for aaa authorization command

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1537175

Regards

8 REPLIES

Re: ASA Read only User

You can use privilege level 5, this will allow to enable mode but it will not give config t access, nor clear xlates or any clear commands, it can however issue show and its subcommands including show run , same applies when using asdm.

create user in asa local database

asa(config)#username password priviledge 5

enable AAA to use ASA local user database

asa(config)#aaa authentication telnet console LOCAL

asa> en

Password: *******

asa#config t

^

ERROR: % Invalid input detected at '^' marker.

ERROR: Command authorization failed

asa#clear xlate

ERROR: % Invalid input detected at '^' marker.

ERROR: Command authorization failed

asa#

Regards

New Member

Re: ASA Read only User

Thanks. I am not sure if access by SSH makes a difference but the user is using SSH and SSH is configured to authenticate to the local database but the user can still get to config t. I am running 7.2 if that makes a difference.

Re: ASA Read only User

Add bellow statement , have you defined priviledge levels for that particular ssh user as indicated in my previous post.

aaa authentication ssh console LOCAL

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml

New Member

Re: ASA Read only User

Hello,

yes I do have the above listed statement and have defined the priviledge level as the first post said.

Thanks!

Re: ASA Read only User

Ok , you must be missing this statement, try with that user after you enter this in asa and let me know.

aaa authorization command LOCAL

Additional reference for aaa authorization command

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1537175

Regards

New Member

Re: ASA Read only User

That was it. Thanks! Just to make sure, this ASA is also authenticating users for VPN connections by pointing to the domain. This should not impact those users correct?

Thanks so much!!

Re: ASA Read only User

Angel, it should not impact any VPN related authentication , this only pertains to authorization managing the ASA applience.

Glad it is resolved and thank you for rating.

regards

New Member

ASA Read only User

Hi,

I just stumbled onto this post.  I was wondering if there was a generic command to allow access to all show commands, instead of individually having to specify them:

e.g. at the moment I have a Level 5 user who I want to have access to all show commands, but not configuration mode, and I have to manually specify each command:

privilege show level 5 mode exec command running-config

privilege show level 5 mode exec command log

Is there an equivalent of show * that I can add?

Thanks

11025
Views
5
Helpful
8
Replies