Using ASDM with Minimum User Privileges

Occasionally as I’m teaching a Cisco training class, I get an idea for a blog post and it happened again this week. The Securing Networks with ASA Fundamentals curriculum is mostly based on the Adaptive Security Device Manager (ASDM). While the class describes the use of privilege levels for use with the command-line, ironically it does not discuss how to apply these privileges to various levels of ASDM access. This first part of a two-part series will examine how to supply both the minimum CLI privilege commands required to run ASDM as well as the ASDM pre-defined user AAA authorization roles. Later I’ll examine how to accomplish ASDM privileged access using a Cisco Access Control Server with TACACS+.

The screenshot below shows the ASDM configuration screen used to accept the GUI default user access pre-defined roles:

As the above screenshot indicates, ASDM defines 3 user roles:

  • Admin: total access – privilege 15
  • Read-Only: allowing read-only access to the Configuration tab – privilege 5
  • Monitor Only: no Configuration tab access – privilege 3

If these are accepted and a username is created with a privilege of 3, when this user logs in, the following screen results:

Note that the Configuration Tab is totally missing! The following lengthy list of commands are supplied JUST for privilege 3 by ASDM to create the Monitor role:

For experimentation purposes and through laborious trial-and-error, we chose to find the minimum commands required to load ASDM. Believe it or not, we found that only the following two commands were required!

  • privilege show level 3 mode exec command logging
  • privilege show level 3 mode exec command blocks

Using just these 2 commands will cause problems, however, as shown by the following screenshot:

The addition of one more command – privilege show level 3 mode exec command interface – will solve that problem, but in trying to minimize commands additional annoying errors will result for users attempting to monitor using ASDM as shown next:

Bottom line: you will need to use the minimum ASDM-supplied privilege commands to be able to navigate the subareas.

By the way, the Read-Only role only adds four additional privilege 5 commands:

  • privilege show level 5 mode exec command import
  • privilege show level 5 mode exec command running-config
  • privilege show level 5 mode configure command asdm
  • privilege show level 5 mode configure command privilege

Author: Doug McKillip

References:

  • ASDM 6.0 User Guide – Configuring Management Access
In this article

Join the Conversation

1 comment

  1. AJ Reply

    Cool, heaps of help from this post. Thanks