Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
497
Views
0
Helpful
2
Replies

Read-only ASDM access with Tacacs

noliveira
Level 1
Level 1

‎08-10-2023 06:27 AM - edited ‎08-10-2023 06:37 AM

Hi everyone, 

I'm trying to configure a read-only ASDM access with tacacs, but I'm not able to make it work. 

It's working fine for CLI access but when I try to login with ASDM it's accepting the username, starts loading and then prompts again with a username and password request. 

Looking at tacacs authorization (attached below), I can see that ASDM is trying to run a "conf t" and "write net" and it's denied. 

 

 

permit	show	version
permit	show	curpriv
permit	perfmon	interval 10
permit	show	asdm sessions
permit	show	firewall
permit	show	mode
permit	show	module
permit	show	cluster interface-mode
permit	show	cluster info
permit	show	running-config cluster
permit	show	running-config webvpn
permit	session	sfr do get-eula-status
permit	show	module sfr details
permit	session	sfr do get-onbox-status
permit	show	curpriv
permit	show	version
permit	show	vpn-sessiondb license-summary
deny	configure	term
permit	show	running-config aaa authorization
permit	show	running-config
permit	show	running-config
permit	show	running-config route
permit	show	running-config interface
permit	show	running-config track
permit	show	running-config sla monitor
permit	show	running-config threat-detection
permit	show	running-config dynamic-filter
permit	show	running-config hpm
deny	configure	term
permit	show	blocks
permit	show	cpu core all
permit	show	service-policy user-statistics
permit	show	curpriv
permit	show	curpriv
permit	show	running-config all
permit	show	running-config all regex
permit	show	running-config all class-map
permit	show	running-config all ssl
deny	write	net

 

 

The ASA is 5516-X with Version 9.16(3)19 and ASDM 7.18(1)152

 

 

 

act# show run privilege level 5
privilege cmd level 5 mode exec command more
privilege cmd level 5 mode exec command dir
privilege cmd level 5 mode exec command export
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 5 mode configure command asdm
privilege show level 5 mode configure command privilege

 

 

I know that there's a related Bug CSCvq20174 but if add write net on the authorized commands like sugested on the workaround it logins fine but user gets privilege 15. 

The tacacs server user profile is setup with privilege 5.

Is there any way to make this work?

Many thanks

 

 

0 Helpful
2 Replies 2

hemohemoh
Level 1
Level 1

‎08-29-2023 03:05 AM

A possible solution is to use a different command authorization set for ASDM users and CLI users. For example, you can create a command authorization set named “ASDM-RO” on your TACACS+ server and assign it to your read-only ASDM users. In this set, you can allow “write net” and other commands that are required for ASDM login, but deny all other configuration commands. This way, your ASDM users can login successfully with read-only access, but they cannot make any changes to the configuration.

Cheers!

0 Helpful

balaji.bandi
Hall of Fame
Hall of Fame

‎08-29-2023 07:16 AM

I never had success to be honest - then we moved on to FMC / FTD

but i see this thread - noted for reference may check and help you :

https://community.cisco.com/t5/network-access-control/aaa-asdm-read-only-access/td-p/1255947

BB

***** Rate All Helpful Responses *****

How to Ask The Cisco Community for Help

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card