I currently have an ACS Appliance performing tacacs authentication for my network devices. I have a few user groups in there to assign access to certain devices and at certain priviledge levels. One of the groups allows the user to authenticate to any network device, but only with a max priviledge level of 1.
When these users log into my ASA's, they are unable to go into enable mode, which is good. But when they log into the ASA via ASDM, they can perform changes and write them to flash.
The ASDM reports they are logged in at priviledge level 15.
Has anyone else noticed a similar issue? If so, where you able to mitigate it?
As long as the ASA is set to authorize all commands, create a command authorization set in ACS. In the command authorization set, permit ?show? and ?write? (and permit unmatched arguments) and deny all other unmatched commands. You then need to apply the command authorization set to the user, or if the user access devices besides the ASA, you may may to limit the devices the command authorization set is applied to for the user. To limit it, create a network device group for the ASAs and then assign the shell command authorization set on a per network device group basis for the user. With this setup, even if a user has priv 15, the command set will limit the commands they can use at prvi 15.
Login to the FXOS chassis manager.
Direct your browser to https://hostname/, and log-in using the user-name and password.
Go to Help > About and check the current version:
Check the current version availa...
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...