topic Re: READ ONLY ACCESS ON ASA 5525 in Network Security

READ ONLY ACCESS ON ASA 5525

DanielAwayevu5027 — Thu, 06 Oct 2022 12:14:49 GMT

Hello Sir,

Please I am having issue with a user who I want to have read only access to the firewall.

Below is the command I use:

username DKamenuveve password xxxxxxxxxxxxxxxxxxx priv 5

The user is still able to execute configuration commands and save.

There are other aaa commands already on the firewall:

aaa-server radius protocol radius
aaa-server radius (Bus_Serv) host x.x.x.x
aaa authentication ssh console radius LOCAL
aaa authentication enable console radius LOCAL
aaa accounting ssh console radius
aaa accounting enable console radius

I want to limit access to only local users. Please what I`m I missing.

Standing by please

Re: READ ONLY ACCESS ON ASA 5525

Aref Alsouqi — Thu, 06 Oct 2022 13:07:23 GMT

Your config seems to be missing a couple commands. You need to define what the priv 5 users can issue in terms of commands, and then you need to configure the aaa authorization. Example:

privilege show level 5 mode exec command running-config

privilege show level 5 mode exec command logging

aaa authorization local

Re: READ ONLY ACCESS ON ASA 5525

DanielAwayevu5027 — Thu, 06 Oct 2022 13:42:22 GMT

Thanks Aref.

Yes I have all these alredy:

privilege cmd level 5 mode exec command ping
privilege cmd level 5 mode exec command packet-tracer
privilege cmd level 5 mode exec command logging
privilege show level 5 mode exec command running-config
privilege show level 5 mode exec command cpu
privilege show level 5 mode exec command interface
privilege show level 5 mode exec command clock
privilege show level 5 mode exec command dns-hosts
privilege show level 5 mode exec command access-list
privilege show level 5 mode exec command vlan
privilege show level 5 mode exec command ip
privilege show level 5 mode exec command asdm
privilege show level 5 mode exec command arp
privilege show level 5 mode exec command aaa-server
privilege show level 5 mode configure command privilege

However, I missed the "aaa authorization local"

May I humbly ask if aaa authorization local is configured will users with domain account be able to login??

Thanks

Re: READ ONLY ACCESS ON ASA 5525

MHM Cisco World — Thu, 06 Oct 2022 13:55:00 GMT

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215792-analyze-aaa-device-administration-behavi.html
first I see your post early today, but I can not answer You because the command need to carefully add to ASA, if some command add wrong you can loss access to FW.
anyway
I see above link, take look it show you how admin deal with each authz command you add
again friend read it careful and then decide add it.
good luck

Re: READ ONLY ACCESS ON ASA 5525

DanielAwayevu5027 — Thu, 06 Oct 2022 15:37:49 GMT

Thanks MHM

However I`m lost with what is being explained there. If aaa authorization local is applied what will be the effect. Can you advise as how to approach it.

Thanks

Re: READ ONLY ACCESS ON ASA 5525

DanielAwayevu5027 — Fri, 07 Oct 2022 07:57:24 GMT

Hello All,

Please this is the configuration aaa config currently running on the FW:

If I apply the aaa authorization command LOCAL on the FW does it mean I will not be able to login to the FW.

What happens to the AD users

Standing by

Re: READ ONLY ACCESS ON ASA 5525

Aref Alsouqi — Fri, 07 Oct 2022 11:53:03 GMT

From the configs you shared, you are authenticating the AD users to log into the firewall via RADIUS, and I don't believe you are enforcing any authorization with RADIUS, so, I would say no, by applying the authorization command you won't affect the AD users' logins. You can schedule a reboot of the ASA before you apply that command, and if you see any wrong behaviour the ASA will reload reverting back the configs, and if you are happy with the change, you can then cancel the scheduled reboot.

Re: READ ONLY ACCESS ON ASA 5525

MHM Cisco World — Fri, 07 Oct 2022 12:10:34 GMT

excellent answer.