cancel
Showing results for 
Search instead for 
Did you mean: 
cancel
577
Views
0
Helpful
0
Replies
Highlighted
Beginner

TroubleShooting ACS 5.2 with ASA 5500

I am deploying an ACS to authenticate ASA for system administration. Here are the client requirement

Types of users and description

1. Admin - With full right to read and make modifications

2. Support Admin - Allow modification with some command only

3. Operator - Read only, no modifications allowed

With the above users, I created three rules to accomodate the situation (which is an abstract only)

Users (with the ASA inside a specific device group)
Commands
Argument
AdminAll commands

Support admin

(All other commands not in the list will be blocked)

show

enable

configure

interface

*

terminal

ethernet

Operator

(All other commands not in the list will be blocked)

show

enable

ip

copy

*

ftp

*

Here comes two questions

1. Why do I need to create a enable15 account in ACS ? If not, users connect via SSH and use ACS for authenication will fail

2. For operator, if I allow enable, all other commands (such as configure t, hostname) will be allowed as well. How can I stop this situation ?

Thanks

Everyone's tags (4)