Today I had the need to create a user in ASA that would have read-only permissions and also could issue
only 2 commands: show run and show conn. Here is how to do it.
We talk here about user with local authentication (with TACACS it is much easier).
Just as in Cisco routers you assign specific command to some privilege level different from its default level , then create user with this privilege level :
1) Assign command to specific privilege level ( I pick here level 3 , but it may be any but 15):
(config)# privilege show level 3 mode exec command conn
2) create username with privilege of the command you want him to give
(config)# username Joedoe password asdlgfuwe privilege 3
Now you have 2 options – create general enable password for this given level (3 here) ,so
any user after successful login can enter > enable 3 and enter it to get to level 3 enable
mode. Or , as I did here, not creating enable level 3 password at all and the user will have to enter its
privilege level using login command.
3) now user can connect by ssh (if allowed by Ip of course) :
#ssh Joedoe@10.10.10.7
Joedoe@10.10.10.7password:<enter user’s pass here>
ASA> login
Username: Joedoe
Password: **********
# sh curpriv
Username : Joedoe
Current privilege level : 3
Current Mode/s : P_PRIV
Reference:
Cisco ASA Configuration Guide 8.0
Follow me on Twitter
Doesn’t work for me. I did exactly the same as you, show curpriv show that the user is lvl 3 privilege, but against this, user can change the configuaration and save it.
Hardvare ASA 5510, Image: asa821-k8
pls help. I need read only access + show running-config
thnx
Lucia – I think you also need to run
aaa authorization command LOCAL
Hi
Yes I have also tried but it is not working. I can change te conf of the firewall even at priv level 3. Please let me know the correct solution
I had the same problem but after entering “aaa authorization command LOCAL” as Rob suggested above and saving, it all worked.