Note on AAA when using cisco ASA

It’s common practice to have multiple users on a firewall, and each user may have different levels of access, such as admin accounts, while others may have just read-only accounts. The cisco ASA is no different and it is quite easy to setup a local AAA (authentication / authorization / accounting) server so you can have just the scenario above. However, there is a small note here. Most people use ASDM to configure user authentication, and are satisfied when users can login using their username and password.

However, note that ASA makes a distinction between authentication and authorization. While authentication may be configured correctly (the user must present a valid username/password combo), and the ASDM interface may also prevent them from making any changes, if they login to the cli via telnet/ssh… they will still have full access (provided they know the enable password).

In order to make sure a user has read-only access, even via the cli, you need to make sure that user authorization is also correctly configured.

Recall that authentication is the act of validating somebody’s identity (usually via username and password) while authorization is the act of checking the permission a user has to run a certain action (such as an admin command)

Configuring basic authentication is simple in the ASDM. Simply go to

configure > device management > users/aaa > authentication

make sure all options are ticked and set to your appropriate AAA server (I am using the ASA itself in the below screenshot)

asa_authen

Secondly, configure authorization in a similar way, by clicking on the authorization tab and selecting all options:

 asa_author

PS: in the above screenshot the option was already used (hence why it is greyed out), but in order to configure read-only users, in the above screen click on the “set ASDM defined user roles”, one of which will be to change the privilege level of different commands to have read-only and admin users, as well as users who will only have dial in rights (eg for AnyConnect users)