10-06-2022 05:14 AM
Hello Sir,
Please I am having issue with a user who I want to have read only access to the firewall.
Below is the command I use:
username DKamenuveve password xxxxxxxxxxxxxxxxxxx priv 5
The user is still able to execute configuration commands and save.
There are other aaa commands already on the firewall:
aaa-server radius protocol radius
aaa-server radius (Bus_Serv) host x.x.x.x
aaa authentication ssh console radius LOCAL
aaa authentication enable console radius LOCAL
aaa accounting ssh console radius
aaa accounting enable console radius
I want to limit access to only local users. Please what I`m I missing.
Standing by please
10-06-2022 06:07 AM
Your config seems to be missing a couple commands. You need to define what the priv 5 users can issue in terms of commands, and then you need to configure the aaa authorization. Example:
privilege show level 5 mode exec command running-config
privilege show level 5 mode exec command logging
aaa authorization local
10-06-2022 06:42 AM
Thanks Aref.
Yes I have all these alredy:
privilege cmd level 5 mode exec command ping
privilege cmd level 5 mode exec command packet-tracer
privilege cmd level 5 mode exec command logging
privilege show level 5 mode exec command running-config
privilege show level 5 mode exec command cpu
privilege show level 5 mode exec command interface
privilege show level 5 mode exec command clock
privilege show level 5 mode exec command dns-hosts
privilege show level 5 mode exec command access-list
privilege show level 5 mode exec command vlan
privilege show level 5 mode exec command ip
privilege show level 5 mode exec command asdm
privilege show level 5 mode exec command arp
privilege show level 5 mode exec command aaa-server
privilege show level 5 mode configure command privilege
However, I missed the "aaa authorization local"
May I humbly ask if aaa authorization local is configured will users with domain account be able to login??
Thanks
10-07-2022 12:57 AM
Hello All,
Please this is the configuration aaa config currently running on the FW:
aaa-server radius protocol radius
aaa-server radius (Bus_Serv) host x.x.x.x
aaa authentication ssh console radius LOCAL
aaa authentication enable console radius LOCAL
aaa accounting ssh console radius
aaa accounting enable console radius
If I apply the aaa authorization command LOCAL on the FW does it mean I will not be able to login to the FW.
What happens to the AD users
Standing by
10-06-2022 06:55 AM
https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215792-analyze-aaa-device-administration-behavi.html
first I see your post early today, but I can not answer You because the command need to carefully add to ASA, if some command add wrong you can loss access to FW.
anyway
I see above link, take look it show you how admin deal with each authz command you add
again friend read it careful and then decide add it.
good luck
10-06-2022 08:37 AM
Thanks MHM
However I`m lost with what is being explained there. If aaa authorization local is applied what will be the effect. Can you advise as how to approach it.
Thanks
10-07-2022 04:53 AM
From the configs you shared, you are authenticating the AD users to log into the firewall via RADIUS, and I don't believe you are enforcing any authorization with RADIUS, so, I would say no, by applying the authorization command you won't affect the AD users' logins. You can schedule a reboot of the ASA before you apply that command, and if you see any wrong behaviour the ASA will reload reverting back the configs, and if you are happy with the change, you can then cancel the scheduled reboot.
10-07-2022 05:10 AM
excellent answer.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide