Re: ASDM Roles Defined in ACS

colin.lynch · ‎07-10-2006

Hi I have a pair of PIX 535's running 7.04 with ASDM 5.0(1) I have used the ASDM wizard which has setup three roles 1) ASDM_Admin (priv 15),

2) ASDM_Readonly (priv 5)

3) ASDM_Monitor (priv 3)

The PIX now has these user accounts in the local database and some additional config assigning certain commands to the relevant privilage levels.

I have now configured the ACS 3.3 to be the first authenticator for these accounts but they all end up with privildge 15 or nothing (command authorisation failed) I have setup the accounts and assigned the correct privilidege level under the respective group. And have also tried creating an authorisation set only allowing the appropriate commands for that priv level. But the PIX does not seem to reflect the update. Does anyone know if there is a doc detailing how to setup these roles with ACS or is there an av-pair defined role I can assign or somthing.

Thanx in advance.

Colin

annnguy · ‎07-10-2006

This document probably isn't exactly what you are looking for, but it kind of goes over configs for device access:

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_7_2/conf_gd/sysadmin/mgaccess.htm#wp1042034

If you were to go into ASDM and look at Properties > Device Access > AAA Access > Authorization > Set ASDM Defined User Roles, you'll see a list of commands that have moved down in privilege. Essentially what you would need to do is use TACACS command authorization and create command authorization sets in ACS that would allow a Readonly user to execute all the commands that are of privilege 5 and lower that is listed in the aforementioned ASDM list. And then for a Monitor user, you would only allow them to execute all commands at level 3 and lower.

On the pix itself, you would need to make sure command authorization is turned on and pointing to your ACS server:

aaa authorization command tacacs+_server_group LOCAL

Hope this helps.

Sincerely,

Annie

colin.lynch · ‎07-11-2006

Hi Annie

Thanks for replying. I did setup 3 authorisation sets called the particalar roles and did point the PIX at the ACS but It did not seem that the PIX took any notice of the sets as I kept getting "Command Authorisation failed" even when the authorisation set associated with the user allowed all commands.

When I checked the ACS logs I see for example "show version unknown command" entered in the failed log.

Regards

Colin

annnguy · ‎07-14-2006

Hi Colin,

Would it be possible to get a glimpse of what the entire failed attempt entry shows? Generally, we probably want to look at the Author-Data field.

Are you seeing this when you try to access the ASDM, or while testing command authorization with the command line? Do you happen to be using the pix command authorization sets? Or are you using the shell command authorization sets?

Sincerely,

Annie

colin.lynch · ‎07-14-2006

Hi Annie

I am using the "shell auth sets" not the PIX Auth sets. I get the error command auth failed when I try and do anything from the command line after SSH'ing in. and get the unknown command entry in ACS logs.

If I try to ASDM I get an error somthing like "insuffient rights to execute sh version, check command authorisation"

I can't remember whether this creates a failed entry in ACS logs but will check.

Should I be using a Pix command authorisation set?

Thanks

Colin

annnguy · ‎07-14-2006

Hi Colin,

So, it actually depends on how the type of service the ASA is requesting. I actually don't know this myself, but if you were to look at the Author-Data field in the failed attempts, if you see something like "service=pixshell...", then you would use the Pix Command Authorization sets. If you see "service=shell...", then you would use the Shell Command Authorization sets.

Sincerely,

Annie