Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
33614
Views
21
Helpful
9
Replies

ASA Read only User

Go to solution
angel-moon
Level 3
Level 3

‎01-14-2009 12:18 PM - edited ‎03-11-2019 07:37 AM

Hello Everyone,

Can someon tell me the command for createing a user on an ASA 5500 running 7.2(3) that can only view the config but not make any changes?

Thanks in advance! All replies rated

Labels:
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to angel-moon

‎01-20-2009 12:46 PM

Ok , you must be missing this statement, try with that user after you enter this in asa and let me know.

aaa authorization command LOCAL

Additional reference for aaa authorization command

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1537175

Regards

Jorge Rodriguez

View solution in original post

9 Replies 9

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10

‎01-14-2009 09:15 PM

You can use privilege level 5, this will allow to enable mode but it will not give config t access, nor clear xlates or any clear commands, it can however issue show and its subcommands including show run , same applies when using asdm.

create user in asa local database

asa(config)#username password priviledge 5

enable AAA to use ASA local user database

asa(config)#aaa authentication telnet console LOCAL

asa> en

Password: *******

asa#config t

^

ERROR: % Invalid input detected at '^' marker.

ERROR: Command authorization failed

asa#clear xlate

ERROR: % Invalid input detected at '^' marker.

ERROR: Command authorization failed

asa#

Regards

Jorge Rodriguez

Go to solution
angel-moon
Level 3
Level 3
In response to JORGE RODRIGUEZ

‎01-19-2009 03:21 PM

Thanks. I am not sure if access by SSH makes a difference but the user is using SSH and SSH is configured to authenticate to the local database but the user can still get to config t. I am running 7.2 if that makes a difference.

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to angel-moon

‎01-19-2009 05:10 PM

Add bellow statement , have you defined priviledge levels for that particular ssh user as indicated in my previous post.

aaa authentication ssh console LOCAL

http://www.cisco.com/en/US/products/hw/vpndevc/ps2030/products_configuration_example09186a008069bf1b.shtml

Jorge Rodriguez
0 Helpful

Go to solution
angel-moon
Level 3
Level 3
In response to JORGE RODRIGUEZ

‎01-20-2009 12:21 PM

Hello,

yes I do have the above listed statement and have defined the priviledge level as the first post said.

Thanks!

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to angel-moon

‎01-20-2009 12:46 PM

Ok , you must be missing this statement, try with that user after you enter this in asa and let me know.

aaa authorization command LOCAL

Additional reference for aaa authorization command

http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1537175

Regards

Jorge Rodriguez

Go to solution
angel-moon
Level 3
Level 3
In response to JORGE RODRIGUEZ

‎01-20-2009 12:51 PM

That was it. Thanks! Just to make sure, this ASA is also authenticating users for VPN connections by pointing to the domain. This should not impact those users correct?

Thanks so much!!

0 Helpful

Go to solution
JORGE RODRIGUEZ
Level 10
Level 10
In response to angel-moon

‎01-20-2009 01:49 PM

Angel, it should not impact any VPN related authentication , this only pertains to authorization managing the ASA applience.

Glad it is resolved and thank you for rating.

regards

Jorge Rodriguez

Go to solution
goulin
Level 1
Level 1

‎09-17-2012 09:45 PM

Hi,

I just stumbled onto this post.  I was wondering if there was a generic command to allow access to all show commands, instead of individually having to specify them:

e.g. at the moment I have a Level 5 user who I want to have access to all show commands, but not configuration mode, and I have to manually specify each command:

privilege show level 5 mode exec command running-config

privilege show level 5 mode exec command log

Is there an equivalent of show * that I can add?

Thanks

Go to solution
akbansal@cisco.com
Cisco Employee
Cisco Employee

‎01-31-2019 05:55 AM - edited ‎01-31-2019 05:58 AM

 

While it is possible to expose a custom set of commands from ASA CLI for all its contexts as shown below, how do you ensure that the same for system CLI on ASA ? it doesn't seem to be having aaa commands available ?

Enable the use of local command privilege levels, which can be checked against the privilege level of users in the local database

asa/Management(config)# aaa authorization command LOCAL
asa/Management(config)# exit

 

Create a user with privilege level 5 in the local database 
asa/Management(config)# username <> password <> privilege 5

To view privilege levels
asa/Management# show curpriv 
Username : <>
Current privilege level : 5 


Current Mode/s : P_PRIV 

 

Example:

asa/Management(config)# privilege show level 5 command running-config
 
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card