Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2180
Views
0
Helpful
4
Replies

Cisco ACS for ASA Firewalls with multiple contexts.

BrunoLopes
Level 1
Level 1

‎04-12-2019 05:13 PM - edited ‎04-13-2019 04:39 AM

Hi Guys, I'm new here.
 
So, I Hope you can help with this doubt.
 
I would like to know if it is possible to configure Cisco ACS for ASA Firewalls (5585) with access segregation / access level for each context in the firewall.

For example:
User Operator, can access context 1, but is cannot allowed to change the ACL-List, in Context 2 it could change the acl-list.
 
is it possible to configure ACS to segregate context access?
Labels:
0 Helpful
4 Replies 4

Francesco Molino
VIP Alumni
VIP Alumni

‎04-13-2019 06:40 PM

Hi

You have to define aaa into each context which means you would be able to do separate rules on ACS to define different policies per context.
Source IP of the ASA context reaching tacacs server are different per context and based on this information, you can have different policies like you wanted.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful

BrunoLopes
Level 1
Level 1
In response to Francesco Molino

‎04-14-2019 03:34 PM

Hi Francesco, thank you very much for the idea, I'm going to work on this tomorrow and I'll let you know if it worked.
0 Helpful

BrunoLopes
Level 1
Level 1
In response to Francesco Molino

‎04-15-2019 09:37 AM

Good afternoon Francesco, We noticed that when User Operator uses the changeto command to access another context it gets privileged access (same as the admin context), in this case you said it would work if the SSH function was enabled in the contexts and the Changeto command locked in the Context Admin. Any other ideas?

0 Helpful

Francesco Molino
VIP Alumni
VIP Alumni
In response to BrunoLopes

‎04-21-2019 09:23 PM

Sorry for my late answer, lot of work these past days.

I'll need to do some testing to see what other solution can for your requirements.

Thanks
Francesco
PS: Please don't forget to rate and select as validated answer if this answered your question
0 Helpful
Customers Also Viewed These Support Documents