10-19-2010 08:34 AM - edited 03-10-2019 05:30 PM
Hi,
I want to be able to control the configuration the users change from both ASDM and ssh session with the ASA in multi context mode.
I am able to get what I want without the use of the ACS (currently using version 4.2 on Windows)
I am doing, what I think, is the right configuration but if anyone has any pointers also if anyone has done this previously any assistance would be appreciated.
I have created the PIX Command Set on the ACS and looks good but does not work, or it works to well and I am unable to change or even show anything within the context as I get Authorisation error.
Thanks.
Regards,
Andrew
10-19-2010 08:20 PM
Andrew,
To configure command authorization on the ASA in such a way so that specific users have read only access to ASA/ASDM. following needs to be configured, ACS configuration: Go to shared profile component > shell command authorization > Edit/add the authorization set and make sure
we have these command and respective argument available there. Command Argument copy Permit all unmatched arguments dir Permit disk0:/dap.xml enable Permit
Perfmon Permit interval 10 show Permit all unmatched arguments write Permit net In addition, these commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server: aaa-server authserver protocol tacacs+ aaa-server authserver host x.x.x.x aaa authorization command authserver Regards,
~JG
Do rate helpful posts
10-20-2010 12:18 AM
Hi JG,
Thanks for the reply.
I have been able to get that functionality working ok but what I actually need is a cut down priv 15 set of commands as I want the users to be able to configure from both ASDM and ssh access but only certain commands.
It seems that when I go any further on this I lock myself out of the context and have to start over again.
Any assistance with this would be appreciated.
Thanks.
Andrew
10-20-2010 01:31 AM
Andrew,
No need to make any change in the pril lvl. Give all user a priv lvl of 15 and then control access via command authorization feature. Command authorization works over priv lvl so even if user priv is 15, it does not mean that user will be able to execute all commands.
User can only execute commands that are listed in the command set.
Regards,
~JG
Do rate helpful posts
10-20-2010 04:42 AM
Hi JG,
I understand this but am still getting the following error even though the command is allowed;
command unknown: service=shell cmd=show version
This is seen on the ACS server when trying to bring up ASDM for the said context.
Not sure why as the command is allowed and I have even allowed all commads, by bypassing the PIX/ASA Command Authorisation Sets.
Any ideas?
Will be trying a few other configurations and see what happens.
Thanks.
Andrew
08-29-2014 03:39 PM
Hey Guys,
I had the same thing happen when moving to a new ACS Server. I had also just switched from ACS authentication to AD Domain authentication.
I had to define the max Priv level for each group under enable options.
Group setup>enable options>Define max Privilege on a per network device group basis> add each device group with priv set to 15.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide