07-26-2013 08:58 PM - edited 03-11-2019 07:17 PM
Hi all,
My deployment for the firewall, there's 2 kind of user:
A. local device admin for device configuration, which on can do ASDM/CLI but no VPN
B. VPN only can have the attribute inherit from group policy.
But if create the user with privilege level = 15, it automatically grant all access. What need to edit in order local device admin only able to configure on device apart of going VPN?
Thanks
Noel
07-26-2013 10:01 PM
Hello Yong,
There are 3 level of users by default 0,1 and 15.
15 being the one with access to all of the commands,etc.
So the question is what are you looking for?
The VPN user not having all privileges to configure the ASA or what?
Can u explain yourself a little bit better
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
07-28-2013 06:48 PM
Hi Julio,
Thanks for the reply. Sorry for my statement causing the ambuiguity.
My requirement is:
Local user, primary doing as device administrator role with privilege level 15, full access restriction EXCEPT VPN group policy granted.
My dillema is when i create a user with privilege 15, it will auto grant me the VPN group policy as well, but i don't need it.
Million thanks
Noel
07-28-2013 07:19 PM
Hello Yong,
Exactly,
The way to make this happen?
1- Create a local user with privilege 14 and set all of the commands on level 14 except the VPN ones (NOT scalable at all)
2-Use an external databe for command authorization (like an ACS), This would be so easy to do with TACACS+
For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/
Cheers,
Julio Carvajal Segura
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide