Hi all, first of all, very grateful to this community for all the help you've provided to me over the last few months, so just wanted to say thank you.
Second, I wanted to get some confirmation on what I'm going to attempt to do tonight. I want to create a read-only account for my ASA, and I think I can do this by enabling Local Authorization (this particular ASA is standalone and not using RADIUS).
If I have a privilege level 15 admin accounts, and some level 2 user accounts for VPN, and a single level 5 account that I want to be read only, I shouldn't run into any problems enabling this, right? My understanding after reading this morning is that it will simply enforce the privileges, so it won't lock my level 15 accounts out or anything.
I plan to do this in ASDM via Device Management>Users/AAA>AAA Access>Authorization>Check the "Enable" box and select "Server Group: LOCAL"
In the Configure Command Privileges Setup window when I temporarily check that box (without Applying) I should just change Command "running-config" in mode "exec" with variant "show" to privilege level 3 and I should be all set, without needing to hit the "Set ASDM Defined User Roles" button since I don't want it to create those Admin/Read-Only/User predefined roles.
Does this sound right to you guys? Am I missing something and about to lock myself out? Thanks for the help once again!
No comments:
Post a Comment