Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
659
Views
0
Helpful
1
Replies

Read-only ASDM access for LDAP remote-authenticated user based on AD User Group

AlexFer
Level 1
Level 1

‎09-19-2018 01:42 AM - edited ‎02-21-2020 08:15 AM

Hi forum members,

ASA 5580 is provisioned for remote authentication towards Active Directory. The administrator must be a member of AD User Group XXX.

New requirement is for a consultant to have read-only access via ASDM and is a member of AD User Group YYY. Would the following work?

 

ldap attribute-map LDAP_MemberOf_ServiceType_Privilege
 map-name  memberOf IETF-Radius-Service-Type
 map-value memberOf "CN=XXX,OU=Groups,OU=Service Management,DC=ad,DC=au" 6
 map-value memberOf "CN=YYY,OU=Groups,OU=Service Management,DC=ad,DC=au" 6
 map-name  memberOf Privilege-Level
 map-value memberOf "CN=YYY,OU=Groups,OU=Service Management,DC=ad,DC=au" 5

aaa-server AAA_for_ADMIN protocol ldap
aaa-server AAA_for_ADMIN (inside) host ad_server
 ldap-base-dn dc=ad,dc=au
 ldap-scope subtree
 ldap-naming-attribute sAMAccountName
 ldap-login-password ******
 ldap-login-dn CN=bind,DC=ad,DC=au
 server-type microsoft
 ldap-attribute-map LDAP_MemberOf_ServiceType_Privilege

aaa authentication http console AAA_for_ADMIN LOCAL
aaa authentication ssh console AAA_for_ADMIN LOCAL
aaa authorization exec authentication-server 

privilege cmd  level 5 mode exec command dir
privilege cmd  level 5 mode exec command export
privilege cmd  level 5 mode exec command more
privilege show level 5 mode configure command asdm
privilege show level 5 mode configure command privilege
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config

Most importantly, it must be that privilege remains 15 for members of AD User Group XXX.

Comments/advice?

R's, Alex

0 Helpful
1 Reply 1

balaji.bandi
Hall of Fame
Hall of Fame

‎09-19-2018 01:54 AM

+1

 

I am more interested to see this solution for this post, since it never worked for me, i have tried all options, and could not get success to give one of the user only read only access.

 

we have Cluster of 5585X with stable OS in it 9.6.X

As per my research not possible, but welcome any solution found.

 

 

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking products for a $25 gift card