Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
New Member

Default Privilege Level for ASA users authenticated by Radius or TACACS when using ASDM

Hello,

I'm trying to figure out what the default privilege level is for users that are authenticated to the ASA via a remote authentication server when using the ASDM.

the command "aaa authentication http console TACACS+ LOCAL" is used in the ASA config.

The remote server is NOT setting any privilege levels for users.  There are also no aaa authorization commands present in the config.

So what privilege level do the users receive when they login with the ASDM?  I'm being told that the users receive admin access which includes config write, reboot, and debug.  But I cannot find any documentation stating hte default level.

Please advise.  And providing links to cisco documentation would be great too.

Thanks,

Brendan

 

 

 

6 REPLIES

Hi Berendan,Hope the below

Hi Berendan,

Hope the below exerpt from document clarifies your query. also i have provided the link to refer.

About Authorization

Authorization controls access per user after users authenticate. You can configure the security appliance to authorize the following items:

Management commands

Network access

VPN access

Authorization controls the services and commands available to each authenticated user. Were you not to enable authorization, authentication alone would provide the same access to services for all authenticated users.

If you need the control that authorization provides, you can configure a broad authentication rule, and then have a detailed authorization configuration. For example, you authenticate inside users who attempt to access any server on the outside network and then limit the outside servers that a particular user can access using authorization.

The security appliance caches the first 16 authorization requests per user, so if the user accesses the same services during the current authentication session, the security appliance does not resend the request to the authorization server.

 

http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/asdm60/user/guide/usrguide/aaasetup.html

 

Regards

Karthik

New Member

Hi Karthik,Thanks for the

Hi Karthik,

Thanks for the help but I still need a little more info.  The provided manual excerpt states

"Were you not to enable authorization, authentication alone would provide the same access to services for all authenticated users."

It states that when authorization is not enabled then all incoming users will have the same access to services and commands.  But it does not state the actual list of commands that are given to ASDM users by default.  I'm basically lookign for the list of commands.  Are the commands given a specific privilege level, etc....

Thanks

 

Hi,Please find the answer for

Hi,

Please find the answer for your specific query.

Command authorization

If you turn on command authorization using the local database, then the security appliance refers to the user privilege level to determine what commands are available. Otherwise, the privilege level is not generally used. By default, all commands are either privilege level 0 or level 15. ASDM allows you to enable three predefined privilege levels, with commands assigned to level 15 (Admin), level 5 (Read Only), and level 3 (Monitor Only). If you use the predefined levels, then assign users to one of these three privilege levels.

So this states that you will be getting the default privileage level 15 when no authorization rules set.... until and unless we specify some controls in authorization, it will take to the default privileage value i.e. 15. Because if they keep a different default level of authorization, then you might loose your control to manage the device, when some initial configuration is needed..

 

The factory default also comes with privileage 15.

username <username> privilege 15 password 0 <password> with it.

Regards

Karthik

New Member

I really appreciate your help

I really appreciate your help.

I'm concerned that the exceprt you quote from is not applicable because it refers to the "local database" of users. 

My situation is regarding authenticating via a remote authentication server, not the local database.  Does the same default levels apply?

 

Thanks

Yeap. Got your point :)Until

Yeap. Got your point :)

Until and unless you specify the privileage levels, it will take it as the default and it will not return any specified privilege access.... once again it depends on the tacacs+ authentication server which you are using.... if it is cisco acs 4.2

The three possible TACACS+ enable options are:

No Enable Privilege—(default) Disallows enable privileges for this user group.

So this means as you said it will not allow read/write access....

 

If you have a different Tacacs authentication server, then it depends on the architecture of that.

 

Regards

Karthik

 

 

 

Hi, In ACS 5.x i see the

Hi,

 

In ACS 5.x i see the default privilege levels for cisco devices is 15.

 

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-system/113590-acs5-tacacs-config.html

 

Regards

Karthik

691
Views
0
Helpful
6
Replies
CreatePlease to create content