Cisco Systems: Cisco ASA privilege configuration

The default privilege 15 is a superuser account, however you can change the default behaviour. In this example I will create a username that has privilege 4 access.

ciscoasa(config)# username adminreader password 121278 privilege 4
ciscoasa(config)# privilege show level 4 command running-config
ciscoasa(config)# privilege show level 4 command access-list
ciscoasa(config)# privilege show level 4 command conn

Then I will need to use aaa commands to tell where to locate the privilege.

aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication enable console LOCAL
aaa authorization command LOCAL
aaa local authentication attempts max-fail 5

When a user attempts to ssh, the cisco asa will check the local database for the authentication information.
When a user attempts to login to asdm the cisco asa will check the local database for the authentication information.
When a user attempts to go to privilege exec mode, the cisco asa will check the local database for the authentication information.
After authenticated the cisco asa will check the local database to find out what commands can be executed by the authenticated user.
The maximum fail login rate is 5 times, if this is exceeded the user will be locked.
Here’s the command to unlock user account.
clear aaa local user all clears all username locked status.
clear aaa local user username adminreader clears username adminreader’s locked status.

Advertisements
This entry was posted in ASA/PIX, Security and tagged , , . Bookmark the permalink.

6 Responses to Cisco Systems: Cisco ASA privilege configuration

  1. Costi says:

    Hi Cyrus,

    The default privilege (meaning: when you issue command “username xxx password yyy” without specifying the privilege option) is not 15 (but privilege 2) on ASA.

    Cheers,

    Costi

  2. cyruslab says:

    Hi Costi! Thanks for the tip! What I meant was the default privilege for privilege 15 is super user.

  3. NIck says:

    I think:
    adding running config gives access to all commands

    i tested it and was not restricted, changed hostname added routes etc

  4. moustafa says:

    Hi Nick:
    I added the command “privilege show level 6 mode exec command running-config” and i can still see that i am not able to neither use show crashinfo nor conf t commands and it displays ERROR: Command authorization failed. Maybe you have a problem in your configuration.
    Regards,
    Moustafa

  5. Haim Chibotero says:

    you need to verify that this command is there as well , else it wont work
    aaa authorization exec authentication-server auto-enable

  6. chibotero says:

    you need to make sure this command is also being run , else it wont work

    aaa authorization exec authentication-server auto-enable

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s