cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1326
Views
0
Helpful
1
Replies

Creating a limited admin user account on an ASA?

benweber
Level 1
Level 1

Hi All,

 

Wondering if this is possible. I want to create a user account on an ASA running 9.1(4) that just has the ability to create and delete other user accounts.  This ASA is running a webvpn with local authentication and I want the local folks to be able to add and remove user accounts but not to be able to do anything else to modify the config.

 

I've done a similar thing in the past so that users could issue specific "show" commands by creating a local account with a privilege level of  6 and then allowing that account the ability to issue show commands with the following lines:

 

username nopriv password <removed> privilege 6

privilege show level 6 mode exec command startup-config
 

Is it possible to do the same so that they only have access to the "username" commands?

 

Thanks,

 

Ben

1 Reply 1

Marvin Rhoads
Hall of Fame
Hall of Fame

The ASA has RBAC (Role-Based Access Control) similar to IOS. In ASDM, first customize the desired command privileges to apply to a level <15 (Configuration > Device Management > Users/AAA > AAA Access >Authorization).

Then, from the User Accounts menu in the same Configuration pane, create your limited admin users and modify their privilege level to the one you just customized.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: