08-05-2009 06:49 AM - edited 03-10-2019 04:37 PM
Hello,
I have ACS 4.2 Appliance which is integrated with Cisco ASA. I need to configure the users in ACS with read-only access to ASDM. Can anybody help me to know which commands are required in ASA and what parametrs are needs to configured in ACS?
Thanks in advance.
08-05-2009 06:57 AM
I don't believe it can be done. ASDM is for configuration and can not be configured strictly for monitoring.
08-05-2009 07:18 AM
Sunil,
If you do not have command authorization in place on your ASA, then you can simply pass
down an exec authorization privilege of 1 to that user when they log into ASDM. This will
allow them to look through all of ASDM like any other user. But if they were to try to
write something to the configuration, then that would fail.
If you do have command authorization in place, or if you would like to have command
authorization, then there is actually a set of commands that are required in order to give read only access for ASDM which you would have to move to a lower privilege. Luckily, there is a feature in ASDM which will allow you to move a series of commands to Read Only privilege 5 ASDM access, as well as a series of commands to Monitor only privilege 3 ASDM access.
Currently, logging in with a user of privilege 15, navigate to Configuration > Device Administration > AAA Access > Authorization. There is a button "Predefined User Account Privilege". If you select this and apply this, it will set a series of commands to a lower privilege based on what ASDM needs to authorize that user for either Read Only or Monitor Only access.
Then you would need to create a new user account with privilege 5 access so that ASDM is read only, or create a new user with privilege 3 for monitor-only access.
Regards,
~JG
Do rate helpful posts
08-05-2009 07:21 AM
That's helpful info Jagdeep.
08-05-2009 07:38 AM
Thanks JG for your prompt reply.
Right now I dont have authorization commnads on ASA but authentication is happening from ACS.
So in your 1st option:
How to pass privilege level 1 to read-only user which is authenticating from ACS?
And in 2nd option:
I have configured read-only users with privilege 15 due to if I keep the privilege less than 15 then user is unable to login in privilge mode (for command show run etc. in routers)
In this option if user get the privilege level 5 or 3 from ACS then it is very much easy.
Thank You,
Sunil
06-08-2010 03:17 PM
Sunil,
This can be done with or without ACS. I think with ACS it would be more reliable and centralized.
I recreated this in our lab few months ago with ACS server
Following are minimum commands that need to be permitted for a read only account for ASA 8.0(4) and ASDM 6.1.x
ACS configuration:
Go to shared profile component > shell command authorization > Edit/add the authorization set and make sure we have these command and respective argument available there.
Command Argument
copy Permit all unmatched arguments
dir Permit disk0:/dap.xml
enable Permit
Perfmon Permit interval 10
show Permit all unmatched arguments
write Permit net
exit Permit all
These commands are required on ASA/PIX/FWSM in order to implement command authorization through an ACS server:
aaa-server authserver protocol tacacs+
aaa-server authserver host x.x.x.x
aaa authorization command authserver
With above seetings, you can use privilege 15 on the ACS. It will only allow user to run show commands. user won't be able to make any changes.
In case it doesn't work, please run the
debug tacacs
debug authorization
HTH
JK
Do rate helpful posts-
06-08-2010 11:50 AM
Hi Jagdeep,
This doesn't seem to work in ASDM 6.2(1), at least as far as setting up a level 3 or 5. They both seem to have enable privileges.
I'm looking to avoid using AAA, we've been burned in the past.
Thanks.
Jimmyc
06-09-2010 08:17 AM
Hi Jagdeep,
I found a very important step that I was missing, to wit:
Step 7 In the Access Restriction area, set the management access level for a user. You must first enable management authorization using the Perform authorization for exec shell access option on the Configuration > Device Management > Users/AAA > AAA Access > Authorization tab.
the link was http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/mgt_acc.html#wp1581382
It was kinda implied that level 5 was read-only, but you must configure it, as per above.
06-09-2010 08:30 AM
Hi colin,
It took a bit, but you can do it without AAA. see my recent posts. regards, jimmyc
06-09-2010 08:33 AM
Yes, you can do but for that you have to define almost all commands on the ASA with their privilege level. Suits those who doesn't have ACS.
Keep posting.
JK
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide