ASDM - monitor access only

Hi,

I'm working now with WB section 'ASA local authentication' and I have one problem with ASDM read-only access.

I checked documentation and I found:

 

"The nas-prompt keyword allows access to the CLI when you configure the aaa authentication {telnet | ssh | serial} console LOCAL command, but denies ASDM configuration access if you configure the aaa authentication http console LOCAL command. ASDM monitoring access is allowed. "

 

I tried following configuration:

aaa authentication http console LOCAL
aaa authorization command LOCAL
aaa authorization exec LOCAL

username http password http encrypted
username http attributes
 service-type nas-prompt


When I try open ASDM I see following error message:" you do not have sufficient privileges to execute commands requirted to load ASDM..."

I can  authenticate and open ASDM session and configuration command is hidden but I can't load the current configuration to monitor the ASA. Have I missed something in my configuration?

regards

Hubert

Comments

  • Hi,

       It all works as expected. "Monitoring" access means you have access to the "monitoring" tab, which you do.

    Regards,

    Cristian.

  • Hi,

    ok, I agree with you. I see the monitor tab but it doesn't monitor anything. It is just gray screen with no information on it. When I try refresh it I see the error message mentioned in my previous post.

    regards

    Hubert

  • Hi,

      For that, try adding privilege-level 15 to the user.

    Regards,

    Cristian.

  • Hi,

    privilege 15 enables access to configuration mode, it looks like the service-type nas-prompt is ignored. I tried one option from ASDM and it works:

    Configuration>Device Management>Users/AAA>AAA Access>Authorization and 'Set ASDM Definied User Roles'

    and it just added privilege level with most of the show commands:

    privilege show level 3 mode configure command aaa
    privilege show level 3 mode exec command aaa
    privilege clear level 3 mode configure command aaa-server
    privilege show level 3 mode configure command aaa-server
    privilege clear level 3 mode exec command aaa-server

    ...

     

    once I changed the privilege level from default 2 to 3 I can monitor ASA without access to configuration mode

    regards

    Hubert

     

Sign In or Register to comment.