09-29-2008 06:22 AM - edited 03-11-2019 06:50 AM
Hi I am struggling with getting my Cisco ASA to enforce privilege levels to users that authenticate to ASDM via Radius.
I am sending back the Priv-lvl=5 attribute but all users connecting to ASDM get level 15 no matter what?
Any ideas?
09-29-2008 07:18 AM
Do you have :
aaa authentication http console
LOCAL is needed if you want a fallback authentication in case radius server is unavailable.
Do rate helpful posts.
Regards,
Sushil
09-29-2008 07:30 AM
i already have aaa authentication http console
the problem is that every authenticated users gets priv 15
09-29-2008 07:35 AM
You can use following commands to set privilege level of specific commands. Next, if you create a username with-
-> 3 = Privilege < 5 : Can only âmonitorâ the device or can only run commands set at privilege level 3 (Refer commands below).
-> 5 = Privilege < 15 : Can only âsee configuration settingsâ, refer to additional commands at level 5 below.
-> Privilege = 15 : Complete access to the device.
Note: Privielge level of all other commands not mentioned below are by default at privilege 15, exception are commands like âhelpâ.
CHECK IF THE COMMAND BELOW IS PRESENT :
aaa authorization command
( MAKE SURE YOU HAVE AN ALTERNATE SESSION OPEN WHILE YOU SET AUTHORIZATION FOR COMMANDS TO AVOID A LOCKOUT.
Regards,
Sushil
09-29-2008 07:43 AM
i know how to do this with local usernames, the problem is using RADIUS for authentication....
the Cisco AV Pair Priv-Lvl command doesn't seem to work or be adhered to by ASDM?
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide