Re: ASDM and privilege level (using TACACS)

joan.ballaud · ‎02-03-2010

Hi experts,

Initial question: How can I force ASDM to ask for the enable password when the user click on Apply ?

Environment description:

I have an ASA 5510 connected to an ACS 5.0.

Security policy:

I want the user defined on my ACS to be able to gain privilege level 15 but only after using their enable password. But by default the user must be in no privileged mode (<15).

A SNMP alert is sent when the ASA catches a "User priv level changed" syslog message. (logging customization)

ACS configuration:

Maybe I misunderstand the TACACS privilege level parameters on ACS.

I set a Shell Profile which gives the user the following privilege levels:

Default Privilege Level = 7

Maximum Privilege Level = 15

1st config tested on ASA:

aaa authentication ssh console grp-tacacs LOCAL

aaa authentication http console grp-tacacs LOCAL

aaa authentication enable console grp-tacacs LOCAL

! no authorization set

Results:

On CLI: perfect

My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and his enable password

On ASDM: policy security failure

When the user connects through ASDM, he gains privilege level 15 directly

It seems that if authorization is not set, ASDM always gives privilege level 15 to any user

So OK for CLI, but NOK pour ASDM

2nd config tested on ASA:

aaa authentication ssh console grp-tacacs LOCAL

aaa authentication http console grp-tacacs LOCAL

aaa authentication enable console grp-tacacs LOCAL

aaa authorization exec authentication-server

! no authorization command set

Results:

On CLI: lose enable access

I can't gain privilege level 15 access anymore. When I use the enable command, I move to privilege level 7 only. So in this case ASA use the TACACS Default Privilege Level value.

On ASDM: policy security failure

When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window BUT the user has full rights and can change settings.

So NOK for CLI and ASDM

Question: Why do I have more access rights with ASDM as on CLI with the same settings ?

3rd config tested on ASA:

aaa authentication ssh console grp-tacacs LOCAL

aaa authentication http console grp-tacacs LOCAL

aaa authentication enable console grp-tacacs LOCAL

aaa authorization exec authentication-server

aaa authorization command LOCAL

! specific authorization command set for ASDM applied

Results:

On CLI: lose enable access (same as config 2)

On ASDM: unenable to gain privilege level 15 --> acceptable

When the user connects through ASDM, he gains privilege level 7 as describe on the bottom of the ASDM window AND the user really has level 7 access rights.

So NOK for CLI and Acceptable for ASDM

Question: Is there no possibility to move to enable mode on ASDM ?

4th config tested on ASA:

aaa authentication ssh console grp-tacacs LOCAL

aaa authentication http console grp-tacacs LOCAL

aaa authorization exec authentication-server

aaa authorization command LOCAL

! no aaa authentication for 'enable access', using local enable_15 account

! specific authorization command set for ASDM applied

Results:

On CLI: acceptable

My user authenticates with his network password to get EXEC access. Then he gains privilege access using the enable command and the local enable password

On ASDM: unenable to gain privilege level 15 --> acceptable (same as config 3)

So Acceptable for CLI and ASDM

Questions review:

1 - Is it possible to force ASDM to ask for the enable password when the user click on Apply ?

2 - Why do I have different access rights using ASDM as on CLI with the same settings ?

3 - Is there no possibility to move to enable mode on ASDM when the user is on privilege level 7 whereas he has Maximum Privilege Level = 15 ?

4 - How may I understand these parameters on TACACS: Default Privilege Level and Maximum Privilege Level ?

Thanks for your help.

jedubois · ‎03-08-2010

Joan,

ASDM will not prompt for an enable password, here is an explaination of the privilege use with ASDM:

http://www.cisco.com/en/US/docs/security/asdm/6_2/user/guide/mgt_acc.html#wp1581275

Depending on what user logs in is what privilege the user will get in ASDM. Where are the users logging

into ASDM stored? Local? Radius? Tacacs? LDAP?

--Jesse

jedubois · ‎03-08-2010

Sorry I didn't directly answer your questions.

1) No ASDM will not ask for the enable password, rights are assigned to the local user it is a type of

role based authentication.

2) That is the way it is designed, with either monitor or configuration access for ASDM. It is

more role based. If you give the user Privilege 15 they will get Configuration Access if less

they will get monitor access.
3) No you can not move into configuration mode if you log into ASDM with a user that only has

monitor access.

4) Privilege level is the level that is passed to the NAS during user authentication. Maximum privilege

level is for enable authentication, for example if a user has a maximum enable privilege as 7 and they

type enable 7 in IOS they would be granted level 7. If they type enable 10 they would be denied enable

authentication.

How many privilege levels are you planning to use?

--Jesse

joan.ballaud · ‎03-09-2010

Thanks for your answer jedubois.

In fact, my security policy is like this:

A) Authentication has to be nominative with password enforcement policy

--> I'm using CS ACS v5.1 appliance with local user database on it

B) Every "network" user can be granted priviledge level 15

--> max user priviledged level is set to 15 in my authentication mechanism on ACS

C) A "network" user can log onto the network equipments (RTR, SW and FW) but having monitor access only first.

D) A "network" user can be granted priviledged level 15 after a second authentication which generates a log message

--> SNMP trap sent to supervision server

E) The user password and enable password have to be personal.

So, I need only 2 priviledged level:

- monitor (any level from 1 to 14. I set 7)

- admin (level 15)

For RTR, SW and FW (on CLI), it works as wanted: the "network" users connect to the equipment in monitor mode. They type "enable" and they use their private enable password to be granted priviledged level 15.

ASDM interface is requested by the customer.

For ASDM, as I were not able to satisfy the security policy, I apply this:

1- I activated Exec Shell Access authorization to get the default user priviledge level value from ACS

--> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 but I am able to change the parameter.

2- I activated LOCAL Command authorization (adding "ASDM defined User Roles")

--> Then, when I log onto the ASDM using a "network" user, I have priviledge level 7 and I can't push any modification.

--> The issue is that I can't push any modification on CLI either ... :-( because my user is stuck on "default priviledge level" 7 and can't get access to "max priviledge level 15" as defined on ACS when LOCAL authorization is set

(ok I go on my ACS and move the default priviledge level to 15 to restore an admin access to the ASA and apply 3- before resetting it to default priviledge level to 7)

3- I remove "aaa authorization enable console TACACS" to use local enable password

--> now I can't get admin access on ASDM: OK

--> and I can get admin access on CLI entering the local enable password

At the end, I satisfy my policy security tokens A to D but not E. That's a good compromise but do you see a solution to satisfy E either ?

Thanks