topic add a local user to ASA 5512-x in Network Security

add a local user to ASA 5512-x

LionKin1984 — Tue, 12 Mar 2019 03:31:05 GMT

Hello people

I am trying to add a local user to our newly purchased ASA firewall 5512-x.

we do not have a Radius or AAA server

I want to add a user who has 'view only' access level on the firewall, can I just add this new user without needing to bother with AAA?

Cheers

add a local user to ASA 5512-x

Jouni Forss — Thu, 16 Jan 2014 11:43:10 GMT

Hi,

Interesting question, for me atleast. I don't think that with the very default configurations you will be able to actually separate what which user can do since if you use the "enable" password the user gains full access to all commands.

I personally don't handle much of the AAA side of our ASA management. Therefore I have never had to handle the LOCAL AAA settings on the ASA and making sure that certain user can only done specific things.

I took a quick look before posting and it seemed to me that by default the commands on the ASA are set so that very few commands are allowed for Privilege level 0 and rest are at Privilege 15 which is basically the highest level and to which you get to with the "enable" password.

To have the ASA define which commands are allowed for the user you will need some AAA configurations on the ASA, the LOCAL username configurations with specific privilege levels and modified privilege levels for the commands that you want to allow for the specific user accounts with their specific privilege level.

If you can specify the type of things this user should see then I could try to create a AAA configuration for you for this purpose. Would be good practise for myself since in our environments theres usually a separate AAA server involved.

- Jouni

add a local user to ASA 5512-x

LionKin1984 — Thu, 16 Jan 2014 11:58:23 GMT

Hi Jouni

Thanks for your post

Apparently you can let ASDM setup commands with the respective privilege levels by clicking 'set ASDM Defined User Roles' in Users/AAA session on ASDM.

I want to create a user with 'view only' access level

cheers

add a local user to ASA 5512-x

James Leinweber — Thu, 16 Jan 2014 17:02:45 GMT

Setting up locally authenticated users involves commands like:

user-identity default-domain LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

aaa authorization command LOCAL

username sysadmin password XXXXX encrypted privilege 15

username readonly password YYYYY encrypted privilege 2

However, by default hardly any commands are available at privilege 1 and all of them are available at privilege 15, so you might need a whole platoon of "privilege .. level 2 mode ..." commands to effect your will. There may be less tedious ways of accomplishing this that I'm unfamiliar with.

-- Jim Leinweber, WI State Lab of Hygiene

add a local user to ASA 5512-x

LionKin1984 — Fri, 17 Jan 2014 08:28:32 GMT

Thanks for you reply James, I am using ASDM, I just clicked 'ASDM Defined User Roles Setup' and it created 3 users 'Admin, ReadOnly and Monitor Only with privilege levels 15, 5 and 3 respectively'