Solved

Cisco ASA - Read only user unable to view Configuration in ASDM

Posted on 2012-12-21
24
2,335 Views
Last Modified: 2013-01-18
Hi,
I have ASA 7.0 (6) and ASDM 5.0, I have to create an user with read only access (Privilege level 5).
When trying to login with this user, it gives error that few commands need to be sent to the device, if I cancel that dialog box (not to send to device) then it gives message that there will be no access to configuration page on ASDM.. But when I click on send ( send commands to device) then I see the dialog box with the commands being sent to the device but at the end it says command authorization failed (due to read only access).

Please let me know in case any other info is required and help me in resolving this.

Thanks.
0
Comment
Question by:abhaysecurity
  • 14
  • 10
24 Comments
 
LVL 12

Expert Comment

by:Fidelius
ID: 38719134
Hello,

You can find solution on link below. Disregard ACS parts, it works for local authentication and authorization also:
https://supportforums.cisco.com/thread/217750

"Currently, logging in with a user of privilege 15, navigate to Configuration > Device Administration > AAA Access > Authorization.  There is a button "Predefined User Account Privilege".  If you select this and apply this, it will set a series of commands to a lower privilege based on what ASDM needs to authorize that user for either Read Only or Monitor Only access.

Then you would need to create a new user account with privilege 5 access so that ASDM is read only, or create a new user with privilege 3 for monitor-only access.
"

Regards!
0
 

Author Comment

by:abhaysecurity
ID: 38719513
Thanks Fidelius for your response,

I tried your suggestion, unfortunately I could not find such an option may be the difference of version of ASDM/ ASA. The snapshot is attached for your reference.

I have ASA 7.0 (6) and ASDM 5.0.
ReadOnlyUserPriv.docx
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 38719554
Did you try to open "Advanced..." on that tab?

Here is ASDM Online Help for Release 5.0(4)
http://www.cisco.com/en/US/docs/security/asa/asa70/asdm50/user/guide/asdmhelp.pdf

You can find paths and descriptions for needed screens on pdf pages 402, 403, 404. (or if you look at Cisco page numbering 9-388, 9-389, 9-390).

Hope it will help!

Regards!
0
 

Author Comment

by:abhaysecurity
ID: 38731712
Hi Fidelius,

I have gone through the matter you posted but unfortunately I am unable to understand that how that is going to make a difference.

I have verified this configuration in other firewall in my network and found similar to this firewall but I am not facing that issue in other firewall.

I am able to login properly in other firewall with read only rights ( Priv -5) and able to see the configuration page in ASDM but not in one firewall.

What I am doubtful on that are there any commands residing anywhere in cache memory or startup time when I launch ASDM that time those commands executing ? and if I have Privileged 15 then it sends those commands and if I have privileged 5 then I can't send the commands to device and hence it fails and show the error.

The error sequence is as below.

When I attempt login into ASDM with read only priv ( Priv - 5)

1. ASDM loads upto 52% and pops of a window containing few commands as below, which is doing no changes but first it sends command to remove object group and then it creates object group.

No asdm group XXXX Interface-name
No asdm group YYYY  Interface-name
asdm group XXXX Interface-name
asdm group YYYY  Interface-name

In this window it shows two option, send or cancel. If I click on send then it tries to send the commands to device and fails due to priveldge level - 5, and again gives error, but when I cancel then it says that you have canceled the commands to send to device so you can't see the configuration tab in ASDM.

Thanks for your support.
0
 
LVL 12

Accepted Solution

by:
Fidelius earned 500 total points
ID: 38731770
ASDM cache is in ".asdm" under your user profile. It is hidden directory, so you will need to turn on "Show hidden file and folders" option in Windows.

On Win XP is under:
C:\Documents and Settings\<your_username>\.asdm\cache

Try to clear it.
If it doesn't work. Uninstall ASDM from PC and delete ".asdm" folder. You can also delete: "C:\Program Files\Cisco Systems\ASDM" if uninstall process doesn't remove it.
Then copy asdm BIN file from working firewall to the nonworking one, and install ASDM to PC from begining.

Please let me know how it behaves afterwards.

Regards!
0
 

Author Comment

by:abhaysecurity
ID: 38731802
Thanks for your suggestion, but it didn't resolve.
I did exactly like you mentioned.
Uninstalled ASDM,
Deleted ASDM Folder from prog files>cisco systems
Copied new bin file to firewall from working firewall
launched and Installed asdm from the firewall.
Same issue found.

:(
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 38731849
Did you also delete hidden ".asdm" folder under your user profile prior to new installation?

Uninstall doesn't delete that folder. So your cache stays.
Also try to delete Java cache ( in Java control panel).
0
 

Author Closing Comment

by:abhaysecurity
ID: 38731874
Thanks Man, earlier I had deleted .asdm from similar user profile, now I deleted from correct profile.

Thanks again, its working as expected now :)
0
 

Author Comment

by:abhaysecurity
ID: 38731896
oooOPs man..... My mistake... It is still not working.....,
during the troubleshooting by mistake I had disable the authorization in AAA configuration for commands that is why ASDM was loading successfully for read only user.

I just observed that, I am sorry man, do you have any other solution for this.?
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 38732299
Very weird.
Did you try to add commands through CLI before loging in through ASDM:
asdm group XXXX Interface-name
asdm group YYYY  Interface-name

If it doesn't help, I suggest upgrade of both IOS and ASDM.
0
 

Author Comment

by:abhaysecurity
ID: 38732348
No, I did not try to do that.

For testing I had done below,

1. When read only user was having this issue.
2. I assigned that read only user as priv 15 so that the commands can be pushed successfully to device, I thought once commands will be sent then it won't ask to send commands again.
3. When read only user (at moment privilege 15)  successful login to ASDM then I logged off and then logged in back with Administrator account and set the read only users privilege back to 5.

Again these commands were showing like earlier.
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 38732413
OK, ignore my last suggestion for manual configuration, as per command reference:
Do not manually configure this command. ASDM adds asdm group commands to the running configuration and uses them for internal purposes. This command is included in the documentation for informational purposes only.

But you can try to lower the priviledge level of this command with:
privilege configure level 5 command asdm group

Maybe this will do the trick, and allow you to user privilege level 5.

Did you try to reboot ASA?
If yes, as last resort, if you can do ASA downtime:
- save your current config to TFTP and flash
- write erase, to reset ASA to default settings
- create only interfaces and users, and allow https access, and try to login as priv level 5

So far it seems like a buggy behaviour.
Try to upgrade to ASA 7.0.8 and ASDM 5.0.8, or even better ASA 7.2.5  and ASDM 5.2.5.

Regards!
0
What Is Threat Intelligence?

Threat intelligence is often discussed, but rarely understood. Starting with a precise definition, along with clear business goals, is essential.

 

Author Comment

by:abhaysecurity
ID: 38733710
Happy new year...

I will try to erase config and then I will start with basic config of ASA like interface config and management of ASA config with user privileges.

I think write erase will remove everything from flash including IOS ?

I will try this tomorrow, as today holiday....
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 38733886
Happy New Year!

Write erase will erase only startup config from NVRAM.
Flash files including IOS are deleted only if you use 'delete' command.
You can safely execute 'copy run flash:' prior to 'write erase' to backup running-config to flash for quick restore if needed.

Regards!
0
 

Author Comment

by:abhaysecurity
ID: 38753233
I did write erase and did basic configuration. I was able to login with read only user in expected manner.
Now I am going to load the old configuration in the firewall and this time I will be copying the config to firewall step by step and will see where issue comes at....

;)
0
 

Author Comment

by:abhaysecurity
ID: 38761977
Hi,

I used multiple combinations and observed that one of the object group used in security policies is also configured for a nat exemption then it shows this error. When I converted the object group (used in NAT exemption) to specific hosts in multiple policies, it was fine, it was allowing the read only user to login to ASDM.

I don't know what was the cause but  the problem is related to few object groups (network) being used in access-list for policy NATs.

If I keep the object groups and remove all the policies for these object groups then there is no issue.

but when I put any access-list (dynamic NAT or policy NAT) for the object groups then below problem appears,

When read only user (priv level-5) logs in to ASDM then it gives an error for those object groups which are being used in dynamic NAT or policy NAT.

Error which I have reported initially.
0
 

Author Comment

by:abhaysecurity
ID: 38765426
Hi Fide!!

Any clue....?
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 38766072
Hi,
Sorry for delay, madhouse at work. :-)

It seems like bug in software. I'll try to check in BugToolkit. Can you post config part that causes problems?
Tnx!
0
 

Author Comment

by:abhaysecurity
ID: 38773032
Hi Fide,
Below is the summary I could prepare for you, Please let me know in case you need any additional information to understand it.

When I use NAT0 statement for my server (192.168.5.50) as a member of a object group Radius_Auth_SRV as below then there is an issue

object-group network Radius_Auth_SRV
 network-object 192.168.5.50 255.255.255.255

access-list DMZ_nat0_inbound extended permit ip host 10.18.210.19 object-group Radius_Auth_SRV

AND.... If I use the same statement but use specific host IP instead of object group as below then no issues at all.

access-list DMZ_nat0_inbound extended permit ip host 10.18.210.19 host 192.168.5.50


The host 192.168.5.50 is being used in below config in the firewall. This is DMZ firewall and IP Address 10.18.210.19 is internal interface of internet firewall.

name 192.168.5.50 ADC description NameServer-1
 network-object 192.168.5.50 255.255.255.255
 network-object 192.168.5.50 255.255.255.255
access-list Outsideaccessin extended permit udp host 10.18.210.19 host 192.168.5.50 eq ntp
access-list GTX-int01_access_in extended permit tcp object-group Billing_ALL_SERVERS host 192.168.5.50 eq smtp
static (CallDC,INDI) 172.29.20.122 192.168.5.50 netmask 255.255.255.255
aaa-server ADC (CallDC) host 192.168.5.50
dhcpd dns 192.168.5.50 192.168.5.60
ntp server 192.168.5.50 source CallDC
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 38777489
While I'm running through BugToolkit, try to change object group name from Radius_Auth_SRV to RadiusAuthSRV. Does the issue remain?
0
 

Author Comment

by:abhaysecurity
ID: 38780671
Let me try this...
0
 

Author Comment

by:abhaysecurity
ID: 38780999
No Luck, I tried to rename object group as you said and updated all policies but no luck.....

Why using an object group in NAT0 policy statement is creating this problem. I had used one host (192.168.5.50) in object group when I use this object group in access-list then there is no problem but when I use that object group in NAT 0 statement then it shows that error when user logs in ASDM with privilege level 5.

If I use the same host (192.168.5.50) instead of object group in the same NAT 0 policy statement then there is no issue, user with privilege level 5 can login to ASDM without any issue.

Below NAT 0 policy statement with object group ---- In this case there is a problem..

access-list DMZ_nat0_inbound extended permit ip host 10.18.210.19 object-group RadiusAuthSRV

Below NAT 0 policy statement with host ---- In this case there is no problem.

access-list DMZ_nat0_inbound extended permit ip host 10.18.210.19 host 192.168.5.50

For testing purpose I have configured Object group RadiusAuthSRV, it contains only one host that is 192.168.5.50.
0
 

Author Comment

by:abhaysecurity
ID: 38789999
I think above issue is related to somewhere when using an object group in NAT0 statement, I replaced all the object groups by specific hosts in all NAT0 statements and now it is working fine.
0
 
LVL 12

Expert Comment

by:Fidelius
ID: 38792126
It seems that there is some kind of bug in usage of NAT0 and object groups in 7.0 software.
I've searched BugToolkit but I couldn't find any similar issue there.

So as you have isolated the problem and it is reproducible, you can open TAC case for this issue. By my experience with TAC, their first suggestion will be to upgrade your ASA software to more recent version, as 7.0.x is EoL/EoS and it is not developed further:
http://www.cisco.com/en/US/prod/collateral/vpndevc/ps6032/ps6094/ps6120/end_of_life_c51-588227.html

Regards!
0

Featured Post

PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

Join & Write a Comment

Suggested Solutions

In this tutorial I will show you with short command examples how to obtain a packet footprint of all traffic flowing thru your Juniper device running ScreenOS. I do not know the exact firmware requirement, but I think the fprofile command is availab…
Network traffic routing plays key role in your network, if you have single site with heavy browsing or multiple sites, replicating important application data from your Primary Default Gateway ,you have to route your other network traffic from your p…
Here's a very brief overview of the methods PRTG Network Monitor (https://www.paessler.com/prtg) offers for monitoring bandwidth, to help you decide which methods you´d like to investigate in more detail.  The methods are covered in more detail in o…
This demo shows you how to set up the containerized NetScaler CPX with NetScaler Management and Analytics System in a non-routable Mesos/Marathon environment for use with Micro-Services applications.

760 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

19 Experts available now in Live!

Get 1:1 Help Now