myITmicroblog

default user on ASA has privilege 2 min privilege to have access to ASDM is 2 read-only access to ASDM requires an user with priv 2, service-type ‘nas-prompt’ and ‘aaa authorization command LOCAL’ + access to 'show' commands (Configuration>Device Management>Users/AAA>AAA Access>Authorization and 'Set ASDM Definied User Roles') telnet on ASA is not allowed on interface with security level = 0 to control which commands are allowed you have to configure: aaa authentication telnet console LOCAL aaa authorization command LOCAL privilege show level 7 command crypto enable password test7 level 7         btw the command “privilege show level 7 command crypto ” is converted to:     privilege show level 7 mode exec command crypto privilege show level 7 mode configure command crypto you can exclude host from aaa: aaa mac-exempt match MAC-ACL using local aaa you can limit the number of failed authentications: aaa local authentication attempts m

I studied some methods of auth proxy on ASA and ACS. Below you can find few examples: 1) Method no 1 We can match traffic passing through the firewall:   access - list TELNET - TRAFFIC extended permit tcp any any eq telnet aaa authentication match TELNET - TRAFFIC inside TACACS Once we initiate traffic we will be asked for authentication:   [ hzw@zeus ~] $ telnet 7.7 . 7.7 Trying 7.7 . 7.7 ... Connected to 7.7 . 7.7 . Escape character is '^]' . Username : user1 Password : User Access Verification Password : R3 > As we see above, first we were asked for ASA proxy authentication and then for telnet password set up on R3. Let’s check the uauth table:   ciscoasa ( config ) # sh uauth Current Most Seen Authenticated Users 1 1 Authen In Progress 0 1 user 'test1' at 192.168 . 157.130 , authenticated absolute timeout : 0 : 05 : 00 inactivity timeout : 0 :