Local Admin user with no VPN group policy inherit

yong khang NG · ‎07-26-2013

Hi all,

My deployment for the firewall, there's 2 kind of user:

A. local device admin for device configuration, which on can do ASDM/CLI but no VPN

B. VPN only can have the attribute inherit from group policy.

But if create the user with privilege level = 15, it automatically grant all access. What need to edit in order local device admin only able to configure on device apart of going VPN?

Thanks

Noel

Julio Carvajal · ‎07-26-2013

Hello Yong,

There are 3 level of users by default 0,1 and 15.

15 being the one with access to all of the commands,etc.

So the question is what are you looking for?

The VPN user not having all privileges to configure the ASA or what?

Can u explain yourself a little bit better

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC

yong khang NG · ‎07-28-2013

Hi Julio,

Thanks for the reply. Sorry for my statement causing the ambuiguity.

My requirement is:

Local user, primary doing as device administrator role with privilege level 15, full access restriction EXCEPT VPN group policy granted.

My dillema is when i create a user with privilege 15, it will auto grant me the VPN group policy as well, but i don't need it.

Million thanks

Noel

Julio Carvajal · ‎07-28-2013

Hello Yong,

Exactly,

The way to make this happen?

1- Create a local user with privilege 14 and set all of the commands on level 14 except the VPN ones (NOT scalable at all)

2-Use an external databe for command authorization (like an ACS), This would be so easy to do with TACACS+

For Networking Posts check my blog at http://www.laguiadelnetworking.com/category/english/

Cheers,

Julio Carvajal Segura

Julio Carvajal
Senior Network Security and Core Specialist
CCIE #42930, 2xCCNP, JNCIP-SEC