10-14-2014 12:37 PM - edited 03-11-2019 09:55 PM
Hi All,
I need to set up a restricted account for some junior's on my ASA's, so I have built the following:
aaa authorization command LOCAL
privilege show level 3 mode exec command vpn-sessiondb l2l
privilege show level 3 mode exec command crypto isakmp sa
privilege show level 3 mode exec command processes cpu-usage
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command switch
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command conn all
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command traceroute
username tech password <password> priv 3
enable password <password> level 3
Now I am a command line guy, but other members of my team are more comfortable on the GUI, so I can't just straight up disable HTTP, otherwise I would. With that said, if I create this user account, and a junior logs into an ASA via ASDM, will this control what they can see / what they can & cannot click on in the config tab of ASDM, or is there no way to do this? Further, will this keep them being able to make changes in ASDM?
10-14-2014 06:49 PM
Hi,
Yes , this configuration will keep them from making any changes on the ASA device.
Thanks and Regards,
Vibhor Amrodia
10-15-2014 05:02 AM
Thanks.
Actually, I think I have a great solution to deny them ASDM access while still allowing administrators (we all come from the same address to the WAN) - I will just change the default HTTPS port and not distribute it.
10-15-2014 11:28 AM
So they pass the test to graduate out of junior status if they use nmap to scan the ASA's address and find the non-default port used by https?
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: