Some facts about ASA and aaa
- default user on ASA has privilege 2
- min privilege to have access to ASDM is 2
- read-only access to ASDM requires an user with priv 2, service-type ‘nas-prompt’ and ‘aaa authorization command LOCAL’ + access to ‘show’ commands (Configuration>Device Management>Users/AAA>AAA Access>Authorization and ‘Set ASDM Definied User Roles’)
- telnet on ASA is not allowed on interface with security level = 0
- to control which commands are allowed you have to configure:
aaa authentication telnet console LOCAL
aaa authorization command LOCAL
privilege show level 7 command crypto
enable password test7 level 7
btw the command “privilege show level 7 command crypto
” is converted to:
privilege show level 7 mode exec command crypto
privilege show level 7 mode configure command crypto
- you can exclude host from aaa: aaa mac-exempt match MAC-ACL
- using local aaa you can limit the number of failed authentications: aaa local authentication attempts max-fail 2
- you can limit the number of proxy connections: aaa proxy-limit 2
- proxy - you can define any port for ASA interface without creating a virtual telnet server: aaa authentication listener http inside port 1234
1
Kudos
1
Kudos