24. April 2014 · Comments Off on Creating Read-Only User Accounts on Cisco ASA5500 · Categories: Cisco · Tags: , , , , , ,

All users configured on the ASA are assigned a privilege level. This privilege level is specified when configuring the username as follows:

hostname(config)# username name password password privilege priv_level

The privilege level can be any value from 0 (least permissive) to 15 (most permissive), with 2 being the default. Do note that if you want to grant the user access to privileged EXEC mode, you should use the range from 2 to 15. For the purpose of assigning read-only access to a user, we will use a privilege level of 5.

AAA refers to authentication, authorization and accounting. It allows us to authenticate who the user is, authorize what that user is allowed to do, and then keep an accounting record showing what that user has done. In order to create a read-only user account, we need to define which commands the user should be granted access to. This requires knowledge of who the user is, so we first need to ensure that user authentication is configured.

To enable AAA authentication, use the following command:

hostname(config)# aaa authentication enable console LOCAL

With this command in place, users are prompted for a username and password when they enter the enable command.

Now that we know who the user is, we can then instruct the ASA to check if they are authorized to issue a particular command. We do this with the following command:

hostname(config)# aaa authorization command LOCAL

With the above configuration in place, all that is left to do is to define a privilege level for each possible command which the user may enter. This is done with the privilege command. By default, the following commands are assigned to privilege level 0. All other commands are assigned to privilege level 15.

show checksum
show curpriv
show history
show pager
clear pager
show version

Instead of going into detail about the privilege command and how to use it, let’s take a moment to consider the situation. Does defining a privilege level for every possible command sound like an easy thing to do? Unfortunately, no. While some devices have a ‘read-only’ attribute which can simply be assigned to the desired users, sadly the ASA does not. Wouldn’t it be easier if there was some way to automate the process of defining the typical commands and privilege levels associated with read-only access? Well, there is!

The ASDM can create a number of predefined account types and generate the commands required to configure these accounts automatically. The predefined account types are Admin (privilege level 15, with full access to all commands), Read Only (privilege level 5, with read-only access) and Monitor Only (privilege level 3, with access to the Monitoring section of the ASDM only). From the ASDM, go to Configuration > Device Management > Users/AAA > AAA Access > Authorization and click Set ASDM Defined User Roles. You will see a dialog box showing the commands and their levels. Click Yes to accept the defaults, and then click Apply to save the changes.

All that remains now is to ensure that the correct privilege levels have been assigned to each user. Users requiring read-only access should be assigned a privilege level of 5. Those users who should be further restricted to the Monitoring section of the ASDM can be assigned a privilege level of 3.

Comments closed.