08-10-2023 06:27 AM - edited 08-10-2023 06:37 AM
Hi everyone,
I'm trying to configure a read-only ASDM access with tacacs, but I'm not able to make it work.
It's working fine for CLI access but when I try to login with ASDM it's accepting the username, starts loading and then prompts again with a username and password request.
Looking at tacacs authorization (attached below), I can see that ASDM is trying to run a "conf t" and "write net" and it's denied.
permit show version
permit show curpriv
permit perfmon interval 10
permit show asdm sessions
permit show firewall
permit show mode
permit show module
permit show cluster interface-mode
permit show cluster info
permit show running-config cluster
permit show running-config webvpn
permit session sfr do get-eula-status
permit show module sfr details
permit session sfr do get-onbox-status
permit show curpriv
permit show version
permit show vpn-sessiondb license-summary
deny configure term
permit show running-config aaa authorization
permit show running-config
permit show running-config
permit show running-config route
permit show running-config interface
permit show running-config track
permit show running-config sla monitor
permit show running-config threat-detection
permit show running-config dynamic-filter
permit show running-config hpm
deny configure term
permit show blocks
permit show cpu core all
permit show service-policy user-statistics
permit show curpriv
permit show curpriv
permit show running-config all
permit show running-config all regex
permit show running-config all class-map
permit show running-config all ssl
deny write net
The ASA is 5516-X with Version 9.16(3)19 and ASDM 7.18(1)152
act# show run privilege level 5
privilege cmd level 5 mode exec command more
privilege cmd level 5 mode exec command dir
privilege cmd level 5 mode exec command export
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 5 mode configure command asdm
privilege show level 5 mode configure command privilege
I know that there's a related Bug CSCvq20174 but if add write net on the authorized commands like sugested on the workaround it logins fine but user gets privilege 15.
The tacacs server user profile is setup with privilege 5.
Is there any way to make this work?
Many thanks
08-29-2023 03:05 AM
A possible solution is to use a different command authorization set for ASDM users and CLI users. For example, you can create a command authorization set named “ASDM-RO” on your TACACS+ server and assign it to your read-only ASDM users. In this set, you can allow “write net” and other commands that are required for ASDM login, but deny all other configuration commands. This way, your ASDM users can login successfully with read-only access, but they cannot make any changes to the configuration.
Cheers!
08-29-2023 07:16 AM
I never had success to be honest - then we moved on to FMC / FTD
but i see this thread - noted for reference may check and help you :
https://community.cisco.com/t5/network-access-control/aaa-asdm-read-only-access/td-p/1255947
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide