cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
1014
Views
5
Helpful
7
Replies

READ ONLY ACCESS ON ASA 5525

Hello Sir,

Please I am having issue with a user who I want to have read only access to the firewall. 

Below is the command I use:

username DKamenuveve password xxxxxxxxxxxxxxxxxxx priv 5

The user is still able to execute configuration commands and save.

There are other aaa commands already on the firewall:

aaa-server radius protocol radius
aaa-server radius (Bus_Serv) host x.x.x.x
aaa authentication ssh console radius LOCAL
aaa authentication enable console radius LOCAL
aaa accounting ssh console radius
aaa accounting enable console radius

I want to limit access to only local users. Please what I`m I missing.

Standing by please

 

7 Replies 7

Your config seems to be missing a couple commands. You need to define what the priv 5 users can issue in terms of commands, and then you need to configure the aaa authorization. Example:

privilege show level 5 mode exec command running-config

privilege show level 5 mode exec command logging

aaa authorization local

Thanks Aref.

Yes I have all these alredy:

privilege cmd level 5 mode exec command ping
privilege cmd level 5 mode exec command packet-tracer
privilege cmd level 5 mode exec command logging
privilege show level 5 mode exec command running-config
privilege show level 5 mode exec command cpu
privilege show level 5 mode exec command interface
privilege show level 5 mode exec command clock
privilege show level 5 mode exec command dns-hosts
privilege show level 5 mode exec command access-list
privilege show level 5 mode exec command vlan
privilege show level 5 mode exec command ip
privilege show level 5 mode exec command asdm
privilege show level 5 mode exec command arp
privilege show level 5 mode exec command aaa-server
privilege show level 5 mode configure command privilege

However, I missed the "aaa authorization local"

May I humbly ask if aaa authorization local is configured will users with domain account be able to login??

Thanks

Hello All,

Please this is the configuration aaa config currently running on the FW:

aaa-server radius protocol radius
aaa-server radius (Bus_Serv) host x.x.x.x
aaa authentication ssh console radius LOCAL
aaa authentication enable console radius LOCAL
aaa accounting ssh console radius
aaa accounting enable console radius

If I apply the aaa authorization command  LOCAL on the FW does it mean I will not be able to login to the FW.

What happens to the AD users

Standing by 

https://www.cisco.com/c/en/us/support/docs/security/adaptive-security-appliance-asa-software/215792-analyze-aaa-device-administration-behavi.html
first I see your post early today, but I can not answer You because the command need to carefully add to ASA, if some command add wrong you can loss access to FW. 
anyway 
I see above link, take look it show you how admin deal with each authz command you add 
again friend read it careful and then decide add it. 
good luck 

Thanks MHM

However I`m lost with what is being explained there. If aaa authorization local is applied what will be the effect. Can you advise as how to approach it.

Thanks

From the configs you shared, you are authenticating the AD users to log into the firewall via RADIUS, and I don't believe you are enforcing any authorization with RADIUS, so, I would say no, by applying the authorization command you won't affect the AD users' logins. You can schedule a reboot of the ASA before you apply that command, and if you see any wrong behaviour the ASA will reload reverting back the configs, and if you are happy with the change, you can then cancel the scheduled reboot.

excellent answer.

Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: