Last time we discussed how to use the LOCAL database of the ASA security appliance to configure minimum user privileges for ASDM access. We showed that ASDM contains two other default account profiles (other than full administrative privileges) for partial access to the GUI.
While using the LOCAL database is a viable mechanism for a small organization with only a few devices, larger enterprise operations frequently require a centralized Access Control Server (ACS). This server is not only used to control device access for users and groups of users, but is an absolute requirement if accounting is to needed since Cisco AAA does not allow accounting to the LOCAL database. This post will explore how to use the Cisco ACS for ASDM access.
While using the LOCAL database of the ASA for ASDM access was fairly straight-forward (the ASDM-defined roles were a big help!), using the ACS involves a bit of “trial-and-error” since documentation is lacking. For this experiment we created a username of adminjr with the goal of using a minimum amount of privilege to load ASDM. The screenshot below illustrates what happens if adminjr doesn’t have enough privileges to load ASDM.
By entering a few commands into the ACS, ASDM will appear to load but it’s actually locked with the following result:
Fortunately, the Failed Attempts section of the ACS is helpful here. As the accompanying screenshot shows, ASDM is attempting a number of show commands to bring up the initial post-login screen.
Using this screen along with trial-and-error, we arrive at the following minimum commands for adminjr to load ASDM:
Several additional comments are in order here.
- What is NOT shown is the requirement that shell access must be allowed for the adminjr user.
- While these commands ensure that ASDM will load without a problem, they do not allow full access to the buttons and features for even basic monitoring functions. The commands shown last time need to be added to ensure this functionality.
With some creativity, a network administrator could create various Command Authorization sets for centralized control of such commonly required capabilities as VPN configuration and monitoring, Failover configuration and monitoring, as well as basic firewall (access-list, service-policy, NAT) rule commands.
Author: Doug McKillip