Cisco ASA privilege separation for a local user or read only user on ASA


Today I had the need to create a user in ASA that would have read-only permissions and also could issue only 2 commands: show run and show conn. Here is how to do it.

We talk here about user with a local authentication (with TACACS it is much easier). Just as in Cisco routers you assign specific command(s) to some privilege level different from its default level , then create user with this privilege level :

Step 1: Assign command(s) to a specific privilege level ( I pick here level 3 , but it may be any but 15):

(config)#privilege show level 3 mode exec command running-config
(config)# privilege show level 3 mode exec command conn

Step 2: create username with the privilege equal to the privilege of the command you want him to have:

(config)# username Joedoe password asdlgfuwe privilege 3

Now you have 2 options - create general enable password for this level (3 here) ,so any user after successful login can enter > enable 3 and enter it to get to the level 3 enable mode. Or , as I did here, not creating enable level 3 password at all and the user will have to enter its privilege level using login command.

NOTE: There has to be authorization enabled for CLI accessing users, or even with the privileges assigned, the new user will still have the privilege of 15! You enable local authorization with:

(config)# aaa authorization command LOCAL

This command relates to administrative access to ASA only, so VPN local-authenticated users will NOT be affected, for example, which is good.

Step 3: Now user can connect by ssh (if coming from allowed IP of course) :

#ssh  Joedoe@10.10.10.7  
Joedoe@10.10.10.7 
password:<enter user's pass here>  
ASA>login  
Username: Joedoe  
Password: **********  
# sh curpriv
Username : Joedoe
Current privilege level : 3
Current Mode/s : P_PRIV

Follow me on https://www.linkedin.com/in/yurislobodyanyuk/ not to miss what I publish on Linkedin, Github, blog, and more.