topic Re: AAA: ASDM read-only access in Network Access Control

AAA: ASDM read-only access

sunil.aroraa — Sun, 10 Mar 2019 23:37:58 GMT

Hello,

I have ACS 4.2 Appliance which is integrated with Cisco ASA. I need to configure the users in ACS with read-only access to ASDM. Can anybody help me to know which commands are required in ASA and what parametrs are needs to configured in ACS?

Thanks in advance.

Re: AAA: ASDM read-only access

Collin Clark — Wed, 05 Aug 2009 13:57:58 GMT

I don't believe it can be done. ASDM is for configuration and can not be configured strictly for monitoring.

Re: AAA: ASDM read-only access

Jagdeep Gambhir — Wed, 05 Aug 2009 14:18:11 GMT

Sunil,

If you do not have command authorization in place on your ASA, then you can simply pass

down an exec authorization privilege of 1 to that user when they log into ASDM. This will

allow them to look through all of ASDM like any other user. But if they were to try to

write something to the configuration, then that would fail.

If you do have command authorization in place, or if you would like to have command

authorization, then there is actually a set of commands that are required in order to give read only access for ASDM which you would have to move to a lower privilege. Luckily, there is a feature in ASDM which will allow you to move a series of commands to Read Only privilege 5 ASDM access, as well as a series of commands to Monitor only privilege 3 ASDM access.

Currently, logging in with a user of privilege 15, navigate to Configuration > Device Administration > AAA Access > Authorization. There is a button "Predefined User Account Privilege". If you select this and apply this, it will set a series of commands to a lower privilege based on what ASDM needs to authorize that user for either Read Only or Monitor Only access.

Then you would need to create a new user account with privilege 5 access so that ASDM is read only, or create a new user with privilege 3 for monitor-only access.

Regards,

~JG

Do rate helpful posts

Re: AAA: ASDM read-only access

Collin Clark — Wed, 05 Aug 2009 14:21:13 GMT

That's helpful info Jagdeep.

Re: AAA: ASDM read-only access

sunil.aroraa — Wed, 05 Aug 2009 14:38:48 GMT

Thanks JG for your prompt reply.

Right now I dont have authorization commnads on ASA but authentication is happening from ACS.

So in your 1st option:

How to pass privilege level 1 to read-only user which is authenticating from ACS?

And in 2nd option:

I have configured read-only users with privilege 15 due to if I keep the privilege less than 15 then user is unable to login in privilge mode (for command show run etc. in routers)

In this option if user get the privilege level 5 or 3 from ACS then it is very much easy.

Thank You,

Sunil

Re: AAA: ASDM read-only access

jimmyc_2 — Tue, 08 Jun 2010 18:50:15 GMT

Hi Jagdeep,

This doesn't seem to work in ASDM 6.2(1), at least as far as setting up a level 3 or 5. They both seem to have enable privileges.

I'm looking to avoid using AAA, we've been burned in the past.

Thanks.

Jimmyc

Re: AAA: ASDM read-only access

Jatin Katyal — Tue, 08 Jun 2010 22:17:51 GMT

Sunil,

This can be done with or without ACS. I think with ACS it would be more reliable and centralized.

I recreated this in our lab few months ago with ACS server

Following are minimum commands that need to be permitted for a read only account for ASA 8.0(4) and ASDM 6.1.x

ACS configuration:

Go to shared profile component > shell command authorization > Edit/add the authorization set and make sure we have these command and respective argument available there.

Command Argument

copy                  Permit all unmatched arguments
dir                     Permit disk0:/dap.xml
enable              Permit
Perfmon           Permit interval 10
show                 Permit all unmatched arguments
write                 Permit net
exit                   Permit all

These commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:

    aaa-server authserver protocol tacacs+
    aaa-server authserver host x.x.x.x
    aaa authorization command authserver

With above seetings, you can use privilege 15 on the ACS. It will only allow user to run show commands. user won't be able to make any changes.

In case it doesn't work, please run the

debug tacacs

debug authorization

HTH

Do rate helpful posts-

Re: AAA: ASDM read-only access

jimmyc_2 — Wed, 09 Jun 2010 15:17:16 GMT

Hi Jagdeep,

I found a very important step that I was missing, to wit:

Step 7 In the Access Restriction area, set the management access level for a user. You must first enable management authorization using the Perform authorization for exec shell access option on the Configuration > Device Management > Users/AAA > AAA Access > Authorization tab.

the link was http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/mgt_acc.html#wp1581382

It was kinda implied that level 5 was read-only, but you must configure it, as per above.

Re: AAA: ASDM read-only access

jimmyc_2 — Wed, 09 Jun 2010 15:30:14 GMT

Hi colin,

It took a bit, but you can do it without AAA. see my recent posts. regards, jimmyc

Re: AAA: ASDM read-only access

Jatin Katyal — Wed, 09 Jun 2010 15:33:07 GMT

Yes, you can do but for that you have to define almost all commands on the ASA with their privilege level. Suits those who doesn't have ACS.

Keep posting.