Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1181
Views
0
Helpful
1
Replies

Read only on ASA's with ACS and Tacacs+

michaellperrin
Level 1
Level 1

‎03-25-2015 10:56 AM - edited ‎03-11-2019 10:41 PM

I'm trying to give access to some users on my ASA's via Tacacs+ on our ACS

On the ACS I did the following

-Added ASA to the ACS
-Created User
-Created Shell profile giving Priv 5
-Created a command set for all commands
-Created auth profile for said user with the shell profile and all commands, command set.

On the ASA I set up AAA authentication and authorization for HTTP then used the predefined user roles which sets Priv 5 as read only.

When I log in I can make changes on the config menu. 

If I change the AAA to the local DB and create a user with Priv 5 it works as expected. I can get to the config menu but when I apply changes it says I don't have rights to do so.

When I do a a curpriv from ASDM on both the local account and the tacacs account they show as priv level 5.

I'm not sure what I'm missing.

Labels:
0 Helpful
1 Reply 1

michaellperrin
Level 1
Level 1

‎03-25-2015 12:38 PM

So after doing some testing.

If I set the Authorization to local it works however then the Priv level 3 monitor doesn't work.

 

If I have a user in ACS who I have given priv 3 they can access the monitor tab and nothing else which is what I expected. When Authorization is set to ACS.

 

Very strange.

0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card