Buy or Renew
Buy or Renew
NEW! Stay up-to-date on Cisco Secure Access: Software Release Notes and Announcements
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1824
Views
0
Helpful
0
Replies

ISE 2.4 Device Admin policy for ASA read only access

atsukane
Level 1
Level 1

‎06-11-2020 01:25 AM

Hi All,

 

I'm setting up ISE for device administration and have a few questions about TACACS command sets for ASA.

Requirement is to set up full access and ReadOnly access to ASA, for both ASDM and ssh.

I've read through some docs, but  mostly this very helpful guide by kthiruve.

https://community.cisco.com/t5/security-documents/cisco-ise-device-administration-prescriptive-deployment-guide/ta-p/3738365#_Creating_Network_Devices 

 

Am I correct in thinking that if I don't specify any command sets for ReadOnly access, and just use TACACS profile to match a AD group with Max Privilege 5, member of this AD group is only allowed to issue default set of commands granted to Level 5?

(Set ASDM defined user roles is enabled in AAA Access authorisation)

Also, since ASA only allows enable to level 15 with external AAA, "enable password xxxxxx level 5" won't work and only accept the level 15 enable password. I'd rather not give readonly users level 15 enable password, so thinking of setting the default privilege to 5. But just wondered how other people are handling/configuring the read only access.

Please advise.

ISE - 2.4 Patch 11

ASA - 5555, 5525 9.4(4)29

ASDM - 7.8(2)151, 7.8(1)150

 

Many thanks in advance. 

1 person had this problem
0 Helpful
0 Replies 0
Customers Also Viewed These Support Documents