Re: ASDM Authentication

lou_young · ‎06-11-2007

I currently have an ACS Appliance performing tacacs authentication for my network devices. I have a few user groups in there to assign access to certain devices and at certain priviledge levels. One of the groups allows the user to authenticate to any network device, but only with a max priviledge level of 1.

When these users log into my ASA's, they are unable to go into enable mode, which is good. But when they log into the ASA via ASDM, they can perform changes and write them to flash.

The ASDM reports they are logged in at priviledge level 15.

Has anyone else noticed a similar issue? If so, where you able to mitigate it?

Thanks.

lou_young · ‎06-14-2007

No one?

d-rathman · ‎06-21-2007

As long as the ASA is set to authorize all commands, create a command authorization set in ACS. In the command authorization set, permit ?show? and ?write? (and permit unmatched arguments) and deny all other unmatched commands. You then need to apply the command authorization set to the user, or if the user access devices besides the ASA, you may may to limit the devices the command authorization set is applied to for the user. To limit it, create a network device group for the ASAs and then assign the shell command authorization set on a per network device group basis for the user. With this setup, even if a user has priv 15, the command set will limit the commands they can use at prvi 15.

Fernando_Meza · ‎06-21-2007

Hi .. can you check you have also AAA configured for accessing the ASA by https.

aaa authentication http console group-tag

rochopra · ‎06-21-2007

you need to configure authentication and command authorization on ASA to limit access to the users.

have a look ta following link :

http://www.cisco.com/univercd/cc/td/doc/product/multisec/asa_sw/v_70/config/mgaccess.htm#wp1047288