asked on
Cisco ASA - Read only user unable to view Configuration in ASDM
Hi,
I have ASA 7.0 (6) and ASDM 5.0, I have to create an user with read only access (Privilege level 5).
When trying to login with this user, it gives error that few commands need to be sent to the device, if I cancel that dialog box (not to send to device) then it gives message that there will be no access to configuration page on ASDM.. But when I click on send ( send commands to device) then I see the dialog box with the commands being sent to the device but at the end it says command authorization failed (due to read only access).
Please let me know in case any other info is required and help me in resolving this.
Thanks.
I have ASA 7.0 (6) and ASDM 5.0, I have to create an user with read only access (Privilege level 5).
When trying to login with this user, it gives error that few commands need to be sent to the device, if I cancel that dialog box (not to send to device) then it gives message that there will be no access to configuration page on ASDM.. But when I click on send ( send commands to device) then I see the dialog box with the commands being sent to the device but at the end it says command authorization failed (due to read only access).
Please let me know in case any other info is required and help me in resolving this.
Thanks.
Hardware Firewalls
Last Comment
Fidelius
ASKER
Thanks Fidelius for your response,
I tried your suggestion, unfortunately I could not find such an option may be the difference of version of ASDM/ ASA. The snapshot is attached for your reference.
I have ASA 7.0 (6) and ASDM 5.0.
ReadOnlyUserPriv.docx
I tried your suggestion, unfortunately I could not find such an option may be the difference of version of ASDM/ ASA. The snapshot is attached for your reference.
I have ASA 7.0 (6) and ASDM 5.0.
ReadOnlyUserPriv.docx
Did you try to open "Advanced..." on that tab?
Here is ASDM Online Help for Release 5.0(4)
http://www.cisco.com/en/US/docs/security/asa/asa70/asdm50/user/guide/asdmhelp.pdf
You can find paths and descriptions for needed screens on pdf pages 402, 403, 404. (or if you look at Cisco page numbering 9-388, 9-389, 9-390).
Hope it will help!
Regards!
Here is ASDM Online Help for Release 5.0(4)
http://www.cisco.com/en/US/docs/security/asa/asa70/asdm50/user/guide/asdmhelp.pdf
You can find paths and descriptions for needed screens on pdf pages 402, 403, 404. (or if you look at Cisco page numbering 9-388, 9-389, 9-390).
Hope it will help!
Regards!
ASKER
Hi Fidelius,
I have gone through the matter you posted but unfortunately I am unable to understand that how that is going to make a difference.
I have verified this configuration in other firewall in my network and found similar to this firewall but I am not facing that issue in other firewall.
I am able to login properly in other firewall with read only rights ( Priv -5) and able to see the configuration page in ASDM but not in one firewall.
What I am doubtful on that are there any commands residing anywhere in cache memory or startup time when I launch ASDM that time those commands executing ? and if I have Privileged 15 then it sends those commands and if I have privileged 5 then I can't send the commands to device and hence it fails and show the error.
The error sequence is as below.
When I attempt login into ASDM with read only priv ( Priv - 5)
1. ASDM loads upto 52% and pops of a window containing few commands as below, which is doing no changes but first it sends command to remove object group and then it creates object group.
No asdm group XXXX Interface-name
No asdm group YYYY Interface-name
asdm group XXXX Interface-name
asdm group YYYY Interface-name
In this window it shows two option, send or cancel. If I click on send then it tries to send the commands to device and fails due to priveldge level - 5, and again gives error, but when I cancel then it says that you have canceled the commands to send to device so you can't see the configuration tab in ASDM.
Thanks for your support.
I have gone through the matter you posted but unfortunately I am unable to understand that how that is going to make a difference.
I have verified this configuration in other firewall in my network and found similar to this firewall but I am not facing that issue in other firewall.
I am able to login properly in other firewall with read only rights ( Priv -5) and able to see the configuration page in ASDM but not in one firewall.
What I am doubtful on that are there any commands residing anywhere in cache memory or startup time when I launch ASDM that time those commands executing ? and if I have Privileged 15 then it sends those commands and if I have privileged 5 then I can't send the commands to device and hence it fails and show the error.
The error sequence is as below.
When I attempt login into ASDM with read only priv ( Priv - 5)
1. ASDM loads upto 52% and pops of a window containing few commands as below, which is doing no changes but first it sends command to remove object group and then it creates object group.
No asdm group XXXX Interface-name
No asdm group YYYY Interface-name
asdm group XXXX Interface-name
asdm group YYYY Interface-name
In this window it shows two option, send or cancel. If I click on send then it tries to send the commands to device and fails due to priveldge level - 5, and again gives error, but when I cancel then it says that you have canceled the commands to send to device so you can't see the configuration tab in ASDM.
Thanks for your support.
ASKER CERTIFIED SOLUTION
THIS SOLUTION ONLY AVAILABLE TO MEMBERS.
View this solution by signing up for a free trial.
Members can start a 7-Day free trial and enjoy unlimited access to the platform.
ASKER
Thanks for your suggestion, but it didn't resolve.
I did exactly like you mentioned.
Uninstalled ASDM,
Deleted ASDM Folder from prog files>cisco systems
Copied new bin file to firewall from working firewall
launched and Installed asdm from the firewall.
Same issue found.
:(
I did exactly like you mentioned.
Uninstalled ASDM,
Deleted ASDM Folder from prog files>cisco systems
Copied new bin file to firewall from working firewall
launched and Installed asdm from the firewall.
Same issue found.
:(
Did you also delete hidden ".asdm" folder under your user profile prior to new installation?
Uninstall doesn't delete that folder. So your cache stays.
Also try to delete Java cache ( in Java control panel).
Uninstall doesn't delete that folder. So your cache stays.
Also try to delete Java cache ( in Java control panel).
ASKER
Thanks Man, earlier I had deleted .asdm from similar user profile, now I deleted from correct profile.
Thanks again, its working as expected now :)
Thanks again, its working as expected now :)
ASKER
oooOPs man..... My mistake... It is still not working.....,
during the troubleshooting by mistake I had disable the authorization in AAA configuration for commands that is why ASDM was loading successfully for read only user.
I just observed that, I am sorry man, do you have any other solution for this.?
during the troubleshooting by mistake I had disable the authorization in AAA configuration for commands that is why ASDM was loading successfully for read only user.
I just observed that, I am sorry man, do you have any other solution for this.?
Very weird.
Did you try to add commands through CLI before loging in through ASDM:
asdm group XXXX Interface-name
asdm group YYYY Interface-name
If it doesn't help, I suggest upgrade of both IOS and ASDM.
Did you try to add commands through CLI before loging in through ASDM:
asdm group XXXX Interface-name
asdm group YYYY Interface-name
If it doesn't help, I suggest upgrade of both IOS and ASDM.
ASKER
No, I did not try to do that.
For testing I had done below,
1. When read only user was having this issue.
2. I assigned that read only user as priv 15 so that the commands can be pushed successfully to device, I thought once commands will be sent then it won't ask to send commands again.
3. When read only user (at moment privilege 15) successful login to ASDM then I logged off and then logged in back with Administrator account and set the read only users privilege back to 5.
Again these commands were showing like earlier.
For testing I had done below,
1. When read only user was having this issue.
2. I assigned that read only user as priv 15 so that the commands can be pushed successfully to device, I thought once commands will be sent then it won't ask to send commands again.
3. When read only user (at moment privilege 15) successful login to ASDM then I logged off and then logged in back with Administrator account and set the read only users privilege back to 5.
Again these commands were showing like earlier.
OK, ignore my last suggestion for manual configuration, as per command reference:
Do not manually configure this command. ASDM adds asdm group commands to the running configuration and uses them for internal purposes. This command is included in the documentation for informational purposes only.
But you can try to lower the priviledge level of this command with:
privilege configure level 5 command asdm group
Maybe this will do the trick, and allow you to user privilege level 5.
Did you try to reboot ASA?
If yes, as last resort, if you can do ASA downtime:
- save your current config to TFTP and flash
- write erase, to reset ASA to default settings
- create only interfaces and users, and allow https access, and try to login as priv level 5
So far it seems like a buggy behaviour.
Try to upgrade to ASA 7.0.8 and ASDM 5.0.8, or even better ASA 7.2.5 and ASDM 5.2.5.
Regards!
Do not manually configure this command. ASDM adds asdm group commands to the running configuration and uses them for internal purposes. This command is included in the documentation for informational purposes only.
But you can try to lower the priviledge level of this command with:
privilege configure level 5 command asdm group
Maybe this will do the trick, and allow you to user privilege level 5.
Did you try to reboot ASA?
If yes, as last resort, if you can do ASA downtime:
- save your current config to TFTP and flash
- write erase, to reset ASA to default settings
- create only interfaces and users, and allow https access, and try to login as priv level 5
So far it seems like a buggy behaviour.
Try to upgrade to ASA 7.0.8 and ASDM 5.0.8, or even better ASA 7.2.5 and ASDM 5.2.5.
Regards!
ASKER
Happy new year...
I will try to erase config and then I will start with basic config of ASA like interface config and management of ASA config with user privileges.
I think write erase will remove everything from flash including IOS ?
I will try this tomorrow, as today holiday....
I will try to erase config and then I will start with basic config of ASA like interface config and management of ASA config with user privileges.
I think write erase will remove everything from flash including IOS ?
I will try this tomorrow, as today holiday....
Happy New Year!
Write erase will erase only startup config from NVRAM.
Flash files including IOS are deleted only if you use 'delete' command.
You can safely execute 'copy run flash:' prior to 'write erase' to backup running-config to flash for quick restore if needed.
Regards!
Write erase will erase only startup config from NVRAM.
Flash files including IOS are deleted only if you use 'delete' command.
You can safely execute 'copy run flash:' prior to 'write erase' to backup running-config to flash for quick restore if needed.
Regards!
ASKER
I did write erase and did basic configuration. I was able to login with read only user in expected manner.
Now I am going to load the old configuration in the firewall and this time I will be copying the config to firewall step by step and will see where issue comes at....
;)
Now I am going to load the old configuration in the firewall and this time I will be copying the config to firewall step by step and will see where issue comes at....
;)
ASKER
Hi,
I used multiple combinations and observed that one of the object group used in security policies is also configured for a nat exemption then it shows this error. When I converted the object group (used in NAT exemption) to specific hosts in multiple policies, it was fine, it was allowing the read only user to login to ASDM.
I don't know what was the cause but the problem is related to few object groups (network) being used in access-list for policy NATs.
If I keep the object groups and remove all the policies for these object groups then there is no issue.
but when I put any access-list (dynamic NAT or policy NAT) for the object groups then below problem appears,
When read only user (priv level-5) logs in to ASDM then it gives an error for those object groups which are being used in dynamic NAT or policy NAT.
Error which I have reported initially.
I used multiple combinations and observed that one of the object group used in security policies is also configured for a nat exemption then it shows this error. When I converted the object group (used in NAT exemption) to specific hosts in multiple policies, it was fine, it was allowing the read only user to login to ASDM.
I don't know what was the cause but the problem is related to few object groups (network) being used in access-list for policy NATs.
If I keep the object groups and remove all the policies for these object groups then there is no issue.
but when I put any access-list (dynamic NAT or policy NAT) for the object groups then below problem appears,
When read only user (priv level-5) logs in to ASDM then it gives an error for those object groups which are being used in dynamic NAT or policy NAT.
Error which I have reported initially.
ASKER
Hi Fide!!
Any clue....?
Any clue....?
Hi,
Sorry for delay, madhouse at work. :-)
It seems like bug in software. I'll try to check in BugToolkit. Can you post config part that causes problems?
Tnx!
Sorry for delay, madhouse at work. :-)
It seems like bug in software. I'll try to check in BugToolkit. Can you post config part that causes problems?
Tnx!
ASKER
Hi Fide,
Below is the summary I could prepare for you, Please let me know in case you need any additional information to understand it.
When I use NAT0 statement for my server (192.168.5.50) as a member of a object group Radius_Auth_SRV as below then there is an issue
object-group network Radius_Auth_SRV
network-object 192.168.5.50 255.255.255.255
access-list DMZ_nat0_inbound extended permit ip host 10.18.210.19 object-group Radius_Auth_SRV
AND.... If I use the same statement but use specific host IP instead of object group as below then no issues at all.
access-list DMZ_nat0_inbound extended permit ip host 10.18.210.19 host 192.168.5.50
The host 192.168.5.50 is being used in below config in the firewall. This is DMZ firewall and IP Address 10.18.210.19 is internal interface of internet firewall.
name 192.168.5.50 ADC description NameServer-1
network-object 192.168.5.50 255.255.255.255
network-object 192.168.5.50 255.255.255.255
access-list Outsideaccessin extended permit udp host 10.18.210.19 host 192.168.5.50 eq ntp
access-list GTX-int01_access_in extended permit tcp object-group Billing_ALL_SERVERS host 192.168.5.50 eq smtp
static (CallDC,INDI) 172.29.20.122 192.168.5.50 netmask 255.255.255.255
aaa-server ADC (CallDC) host 192.168.5.50
dhcpd dns 192.168.5.50 192.168.5.60
ntp server 192.168.5.50 source CallDC
Below is the summary I could prepare for you, Please let me know in case you need any additional information to understand it.
When I use NAT0 statement for my server (192.168.5.50) as a member of a object group Radius_Auth_SRV as below then there is an issue
object-group network Radius_Auth_SRV
network-object 192.168.5.50 255.255.255.255
access-list DMZ_nat0_inbound extended permit ip host 10.18.210.19 object-group Radius_Auth_SRV
AND.... If I use the same statement but use specific host IP instead of object group as below then no issues at all.
access-list DMZ_nat0_inbound extended permit ip host 10.18.210.19 host 192.168.5.50
The host 192.168.5.50 is being used in below config in the firewall. This is DMZ firewall and IP Address 10.18.210.19 is internal interface of internet firewall.
name 192.168.5.50 ADC description NameServer-1
network-object 192.168.5.50 255.255.255.255
network-object 192.168.5.50 255.255.255.255
access-list Outsideaccessin extended permit udp host 10.18.210.19 host 192.168.5.50 eq ntp
access-list GTX-int01_access_in extended permit tcp object-group Billing_ALL_SERVERS host 192.168.5.50 eq smtp
static (CallDC,INDI) 172.29.20.122 192.168.5.50 netmask 255.255.255.255
aaa-server ADC (CallDC) host 192.168.5.50
dhcpd dns 192.168.5.50 192.168.5.60
ntp server 192.168.5.50 source CallDC
While I'm running through BugToolkit, try to change object group name from Radius_Auth_SRV to RadiusAuthSRV. Does the issue remain?
ASKER
Let me try this...
ASKER
No Luck, I tried to rename object group as you said and updated all policies but no luck.....
Why using an object group in NAT0 policy statement is creating this problem. I had used one host (192.168.5.50) in object group when I use this object group in access-list then there is no problem but when I use that object group in NAT 0 statement then it shows that error when user logs in ASDM with privilege level 5.
If I use the same host (192.168.5.50) instead of object group in the same NAT 0 policy statement then there is no issue, user with privilege level 5 can login to ASDM without any issue.
Below NAT 0 policy statement with object group ---- In this case there is a problem..
access-list DMZ_nat0_inbound extended permit ip host 10.18.210.19 object-group RadiusAuthSRV
Below NAT 0 policy statement with host ---- In this case there is no problem.
access-list DMZ_nat0_inbound extended permit ip host 10.18.210.19 host 192.168.5.50
For testing purpose I have configured Object group RadiusAuthSRV, it contains only one host that is 192.168.5.50.
Why using an object group in NAT0 policy statement is creating this problem. I had used one host (192.168.5.50) in object group when I use this object group in access-list then there is no problem but when I use that object group in NAT 0 statement then it shows that error when user logs in ASDM with privilege level 5.
If I use the same host (192.168.5.50) instead of object group in the same NAT 0 policy statement then there is no issue, user with privilege level 5 can login to ASDM without any issue.
Below NAT 0 policy statement with object group ---- In this case there is a problem..
access-list DMZ_nat0_inbound extended permit ip host 10.18.210.19 object-group RadiusAuthSRV
Below NAT 0 policy statement with host ---- In this case there is no problem.
access-list DMZ_nat0_inbound extended permit ip host 10.18.210.19 host 192.168.5.50
For testing purpose I have configured Object group RadiusAuthSRV, it contains only one host that is 192.168.5.50.
ASKER
I think above issue is related to somewhere when using an object group in NAT0 statement, I replaced all the object groups by specific hosts in all NAT0 statements and now it is working fine.
It seems that there is some kind of bug in usage of NAT0 and object groups in 7.0 software.
I've searched BugToolkit but I couldn't find any similar issue there.
So as you have isolated the problem and it is reproducible, you can open TAC case for this issue. By my experience with TAC, their first suggestion will be to upgrade your ASA software to more recent version, as 7.0.x is EoL/EoS and it is not developed further:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/end_of_life_c51-588227.html
Regards!
I've searched BugToolkit but I couldn't find any similar issue there.
So as you have isolated the problem and it is reproducible, you can open TAC case for this issue. By my experience with TAC, their first suggestion will be to upgrade your ASA software to more recent version, as 7.0.x is EoL/EoS and it is not developed further:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/end_of_life_c51-588227.html
Regards!
You can find solution on link below. Disregard ACS parts, it works for local authentication and authorization also:
https://supportforums.cisco.com/thread/217750
"Currently, logging in with a user of privilege 15, navigate to Configuration > Device Administration > AAA Access > Authorization. There is a button "Predefined User Account Privilege". If you select this and apply this, it will set a series of commands to a lower privilege based on what ASDM needs to authorize that user for either Read Only or Monitor Only access.
Then you would need to create a new user account with privilege 5 access so that ASDM is read only, or create a new user with privilege 3 for monitor-only access."
Regards!