Monday, June 23, 2014

Some facts about ASA and aaa

  • default user on ASA has privilege 2
  • min privilege to have access to ASDM is 2
  • read-only access to ASDM requires an user with priv 2, service-type ‘nas-prompt’ and ‘aaa authorization command LOCAL’ + access to 'show' commands (Configuration>Device Management>Users/AAA>AAA Access>Authorization and 'Set ASDM Definied User Roles')
  • telnet on ASA is not allowed on interface with security level = 0
  • to control which commands are allowed you have to configure:
aaa authentication telnet console LOCAL 
aaa authorization command LOCAL 

privilege show level 7 command crypto
enable password test7 level 7 
btw the command “privilege show level 7 command crypto
” is converted to: 
privilege show level 7 mode exec command crypto
privilege show level 7 mode configure command crypto

  • you can exclude host from aaa: aaa mac-exempt match MAC-ACL
  • using local aaa you can limit the number of failed authentications: aaa local authentication attempts max-fail 2
  • you can limit the number of proxy connections: aaa proxy-limit 2
  • proxy - you can define any port for ASA interface without creating a virtual telnet server: aaa authentication listener http inside port 1234

No comments:

Post a Comment