Solved: Separating Monitor only and Admin access to Cisco ASDM (ASA) for users authenticated via LDAP

Markus Thun · ‎09-19-2013

Hi,

we have two Ad Groups on Group for network Admins an one for Systems Admins. The network Admins will get the Priv lvl 15 the other Priv lvl 3.

This is the configuration that i use:

TestASA# sh run ldap attribute-map test4
map-name comment Privilege-Level
map-value comment fw-ro 5
map-value comment fw-rw 15
map-name memberOf IETF-Radius-Service-Type
map-value memberOf "cn=sec-FW-Admin,OU=Security Groups,DC=802101,DC=local" 6
map-value memberOf "cn=sec-fw-ro,OU=Security Groups,DC=802101,DC=local" 5

The user in both groups can login via ssh and asdm but all user get the same rights priv lvl 15.

Has anybody an idea?

Jatin Katyal · ‎10-01-2013

You need to visit the below listed link to configure ASA for read-only access and admin access. Not sure, if you have already gone through it.

https://supportforums.cisco.com/docs/DOC-33843

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

View solution in original post

Jatin Katyal · ‎10-01-2013

You need to visit the below listed link to configure ASA for read-only access and admin access. Not sure, if you have already gone through it.

https://supportforums.cisco.com/docs/DOC-33843

~BR
Jatin Katyal

**Do rate helpful posts**

~Jatin

Markus Thun · ‎10-07-2013

Thank you Jatin Katyal,

the document was helpful, but the point are note in the document.

it is important set the "Enable authorization for ASA command access "Enable an click on "Set ASDM Define User Roles..." button.

greets

Markus Thun