https://community.cisco.com/t5/network-security/asdm-authentication/m-p/790469#M1003346 <HTML><HEAD></HEAD><BODY><P>Hi .. can you check you have also AAA configured for accessing the ASA by https. </P><P></P><P>aaa authentication http console group-tag</P><P></P><P></P></BODY></HTML> Fri, 22 Jun 2007 00:26:47 GMT Fernando_Meza 2007-06-22T00:26:47Z https://community.cisco.com/t5/network-security/asdm-authentication/m-p/790466#M1003323 <P>I currently have an ACS Appliance performing tacacs authentication for my network devices. I have a few user groups in there to assign access to certain devices and at certain priviledge levels. One of the groups allows the user to authenticate to any network device, but only with a max priviledge level of 1.</P><P></P><P>When these users log into my ASA's, they are unable to go into enable mode, which is good. But when they log into the ASA via ASDM, they can perform changes and write them to flash. </P><P></P><P>The ASDM reports they are logged in at priviledge level 15. </P><P></P><P>Has anyone else noticed a similar issue? If so, where you able to mitigate it?</P><P></P><P>Thanks.</P> Mon, 11 Mar 2019 10:28:11 GMT https://community.cisco.com/t5/network-security/asdm-authentication/m-p/790466#M1003323 lou_young 2019-03-11T10:28:11Z https://community.cisco.com/t5/network-security/asdm-authentication/m-p/790467#M1003330 <HTML><HEAD></HEAD><BODY><P>No one?</P></BODY></HTML> Thu, 14 Jun 2007 15:06:47 GMT https://community.cisco.com/t5/network-security/asdm-authentication/m-p/790467#M1003330 lou_young 2007-06-14T15:06:47Z https://community.cisco.com/t5/network-security/asdm-authentication/m-p/790468#M1003337 <HTML><HEAD></HEAD><BODY><P>As long as the ASA is set to authorize all commands, create a command authorization set in ACS. In the command authorization set, permit ?show? and ?write? (and permit unmatched arguments) and deny all other unmatched commands. You then need to apply the command authorization set to the user, or if the user access devices besides the ASA, you may may to limit the devices the command authorization set is applied to for the user. To limit it, create a network device group for the ASAs and then assign the shell command authorization set on a per network device group basis for the user. With this setup, even if a user has priv 15, the command set will limit the commands they can use at prvi 15.</P></BODY></HTML> Thu, 21 Jun 2007 19:30:19 GMT https://community.cisco.com/t5/network-security/asdm-authentication/m-p/790468#M1003337 d-rathman 2007-06-21T19:30:19Z https://community.cisco.com/t5/network-security/asdm-authentication/m-p/790469#M1003346 <HTML><HEAD></HEAD><BODY><P>Hi .. can you check you have also AAA configured for accessing the ASA by https. </P><P></P><P>aaa authentication http console group-tag</P><P></P><P></P></BODY></HTML> Fri, 22 Jun 2007 00:26:47 GMT https://community.cisco.com/t5/network-security/asdm-authentication/m-p/790469#M1003346 Fernando_Meza 2007-06-22T00:26:47Z https://community.cisco.com/t5/network-security/asdm-authentication/m-p/790470#M1003352 <HTML><HEAD></HEAD><BODY><P>you need to configure authentication and command authorization on ASA to limit access to the users.</P><P></P><P>have a look ta following link :</P><P></P><P><A class="jive-link-custom" href="http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/mgaccess.htm#wp1047288" target="_blank">http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/mgaccess.htm#wp1047288</A></P></BODY></HTML> Fri, 22 Jun 2007 02:33:56 GMT https://community.cisco.com/t5/network-security/asdm-authentication/m-p/790470#M1003352 rochopra 2007-06-22T02:33:56Z