Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1288
Views
15
Helpful
7
Replies

ASA ASDM dashboard with Cisco ACS

Go to solution
david.suntama
Level 1
Level 1

‎03-07-2016 05:47 PM - edited ‎03-10-2019 11:33 PM

Hi All,

We are using  CiscoSecure ACS 4.2  for AAA.

In Our ASA 8.2.5 ASDM 7.3(1)101 , if we login with user group privilege 5, we would not be able to see the firewall dashboard for Top 10 Services / Sources / Destinations.

Anyone knows how to have the right privilege set up, basically the user group we only need read only but can see the Top 10 services/sources/destinations on ASDM dashboard

Thanks a lot

Labels:
Preview file
91 KB
0 Helpful
1 Accepted Solution

Accepted Solutions

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to david.suntama

‎03-08-2016 02:10 AM

Hi David,

Yes you are right with privilege 5 you would be able to do these changes.

You can use one of two command authorization methods to overcome this limitation:

Local database :Configure the command privilege levels on the security
appliance. When a local user authenticates with the enable command (or logs
in with the login command), the security appliance places that user in the
privilege level that is defined by the local database. The user can then
access commands at the user's privilege level and below.


Note You can use local command authorization without any users in the local
database and without CLI or enable authentication. Instead, when you enter
the enable command, you enter the system enable password, and the security
appliance places you in level 15. You can then create enable passwords for
every level, so that when you enter enable n (2 to 15), the security
appliance places you in level n. These levels are not used unless you turn
on local command authorization (see "Configuring Local Command
Authorization"
<http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/mgaccess.html#wp1072168>

TACACS+ server: On the TACACS+ (ACS) server, configure the commands that a user or group can use after they authenticate for CLI access. Every command that a user enters at the CLI is checked with the TACACS+ server :

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/99361-acs-shell-auth.html#scenario1

Hope it helps.

Regards,

Aditya

Please rate helpful posts.

View solution in original post

0 Helpful
7 Replies 7

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee

‎03-07-2016 06:22 PM

Hi David,

The minimum privilege level you need to view the Top 10 services/sources/destinations on ASDM dashboard is privilege level 5.

Please check the privilege level of the user when you log into the ASA by using the command:

sh curpriv

Also have you customized the privilege level on the ASA ?

Please share the output of

show run | begin privilege

Regards,

Aditya

Please rate helpful posts.

Go to solution
david.suntama
Level 1
Level 1
In response to Aditya Ganjoo

‎03-07-2016 06:54 PM

Thanks,

No, I do not have customized privilege on ASA

I am not sure why the user group is only having privilege 1.

Please see below

FW-C5505> sh curpriv
Username : apactest
Current privilege level : 1
Current Mode/s : P_UNPR
FW-C5505> sh run | begin priv
FW-C5505> sh run | begin privilege
^
ERROR: % Invalid input detected at '^' marker.
FW-C5505>

Attach the user group setting on ACS

Preview file
26 KB
Preview file
31 KB
Preview file
36 KB
0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to david.suntama

‎03-07-2016 10:08 PM

Hi David,

The config seems fine.

Not sure why do you get priv 1 when you are giving it a priv 10 through ACS.

What do you see in the logs on the ACS ?

However you can check this link for setting up privilege level and command authorization on the ACS:

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/99361-acs-shell-auth.html#scenario1

Let me know if you have any queries for me on this.

Regards,

Aditya

Please rate helpful posts.

Go to solution
david.suntama
Level 1
Level 1
In response to Aditya Ganjoo

‎03-08-2016 12:08 AM

thanks,,

on all Cisco IOS routers seems work fine with correct Privilege 10 as what I set on ACS, however only on ASA it keeps getting priv 1 only

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to david.suntama

‎03-08-2016 01:49 AM

Hi David,

Please share the show run | in aaa output of the ASA.

I will look into it.

Regards,

Aditya

Go to solution
david.suntama
Level 1
Level 1
In response to Aditya Ganjoo

‎03-08-2016 01:57 AM

Thanks Aditya,

I managed to get into priv 5 now with ACS, however with priv 5 i can do modify the config and write memory :(

below output

FW-C5505# sh curpriv
Username : apactest
Current privilege level : 5
Current Mode/s : P_PRIV
FW-C5505# sh priv
FW-C5505# sh run | in aaa

aaa-server AD-SVRGRP protocol ldap
aaa-server AD-SVRGRP (inside) host xxx
aaa-server AD-SVRGRP (mpls) host xxx
aaa-server Cisco_ACS protocol tacacs+
aaa-server Cisco_ACS (mpls) host xxx
aaa-server Cisco_ACS (mpls) host xxx
aaa authentication telnet console Cisco_ACS LOCAL
aaa authentication ssh console Cisco_ACS LOCAL
aaa authentication http console Cisco_ACS LOCAL
aaa authentication enable console Cisco_ACS LOCAL
aaa authentication serial console LOCAL
aaa authorization command Cisco_ACS LOCAL
aaa accounting enable console Cisco_ACS
aaa accounting serial console Cisco_ACS
aaa accounting ssh console Cisco_ACS
aaa accounting telnet console Cisco_ACS
aaa accounting command privilege 15 Cisco_ACS
aaa authorization exec authentication-server

0 Helpful

Go to solution
Aditya Ganjoo
Cisco Employee
Cisco Employee
In response to david.suntama

‎03-08-2016 02:10 AM

Hi David,

Yes you are right with privilege 5 you would be able to do these changes.

You can use one of two command authorization methods to overcome this limitation:

Local database :Configure the command privilege levels on the security
appliance. When a local user authenticates with the enable command (or logs
in with the login command), the security appliance places that user in the
privilege level that is defined by the local database. The user can then
access commands at the user's privilege level and below.


Note You can use local command authorization without any users in the local
database and without CLI or enable authentication. Instead, when you enter
the enable command, you enter the system enable password, and the security
appliance places you in level 15. You can then create enable passwords for
every level, so that when you enter enable n (2 to 15), the security
appliance places you in level n. These levels are not used unless you turn
on local command authorization (see "Configuring Local Command
Authorization"
<http://www.cisco.com/c/en/us/td/docs/security/asa/asa80/configuration/guide/conf_gd/mgaccess.html#wp1072168>

TACACS+ server: On the TACACS+ (ACS) server, configure the commands that a user or group can use after they authenticate for CLI access. Every command that a user enters at the CLI is checked with the TACACS+ server :

http://www.cisco.com/c/en/us/support/docs/security/secure-access-control-server-windows/99361-acs-shell-auth.html#scenario1

Hope it helps.

Regards,

Aditya

Please rate helpful posts.

0 Helpful
Customers Also Viewed These Support Documents