Default Privilege Level for ASA users authenticated by Radius or TACACS when using ASDM
I'm trying to figure out what the default privilege level is for users that are authenticated to the ASA via a remote authentication server when using the ASDM.
the command "aaa authentication http console TACACS+ LOCAL" is used in the ASA config.
The remote server is NOT setting any privilege levels for users. There are also no aaa authorization commands present in the config.
So what privilege level do the users receive when they login with the ASDM? I'm being told that the users receive admin access which includes config write, reboot, and debug. But I cannot find any documentation stating hte default level.
Please advise. And providing links to cisco documentation would be great too.
Hope the below exerpt from document clarifies your query. also i have provided the link to refer.
Authorization controls access per user after users authenticate. You can configure the security appliance to authorize the following items:
Authorization controls the services and commands available to each authenticated user. Were you not to enable authorization, authentication alone would provide the same access to services for all authenticated users.
If you need the control that authorization provides, you can configure a broad authentication rule, and then have a detailed authorization configuration. For example, you authenticate inside users who attempt to access any server on the outside network and then limit the outside servers that a particular user can access using authorization.
The security appliance caches the first 16 authorization requests per user, so if the user accesses the same services during the current authentication session, the security appliance does not resend the request to the authorization server.
Thanks for the help but I still need a little more info. The provided manual excerpt states
"Were you not to enable authorization, authentication alone would provide the same access to services for all authenticated users."
It states that when authorization is not enabled then all incoming users will have the same access to services and commands. But it does not state the actual list of commands that are given to ASDM users by default. I'm basically lookign for the list of commands. Are the commands given a specific privilege level, etc....
If you turn on command authorization using the local database, then the security appliance refers to the user privilege level to determine what commands are available. Otherwise, the privilege level is not generally used. By default, all commands are either privilege level 0 or level 15. ASDM allows you to enable three predefined privilege levels, with commands assigned to level 15 (Admin), level 5 (Read Only), and level 3 (Monitor Only). If you use the predefined levels, then assign users to one of these three privilege levels.
So this states that you will be getting the default privileage level 15 when no authorization rules set.... until and unless we specify some controls in authorization, it will take to the default privileage value i.e. 15. Because if they keep a different default level of authorization, then you might loose your control to manage the device, when some initial configuration is needed..
The factory default also comes with privileage 15.
username <username> privilege 15 password 0 <password> with it.
Until and unless you specify the privileage levels, it will take it as the default and it will not return any specified privilege access.... once again it depends on the tacacs+ authentication server which you are using.... if it is cisco acs 4.2
The three possible TACACS+ enable options are:
•No Enable Privilege—(default) Disallows enable privileges for this user group.
So this means as you said it will not allow read/write access....
If you have a different Tacacs authentication server, then it depends on the architecture of that.
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationConfigure one of the connectivity options to access the Cisco IMC from the n...
Firepower Threat Defense (NGFWv) on UCS E-series - Transparent Mode in HA
DocumentationCode download linksGoalRequirementLimitationsSupported ISR and UCS-E ModelSupported ISRG2 and UCS-E Blades:Supported ISR4K and UCS-E Blades:Step by Step ConfigurationCo...
I am currently unable to specify "crypto keyring" command when configuring VPN connection on my cisco 2901 router.
The following licenses have been activated on my router :