You may have had an occasion where a user wanted access to an ASA firewall. You are hesitant to grant access, because you don’t want anything broken.

Or, perhaps you have operations staff who need to do basic troubleshooting. But as before, you don’t want too many people having full access.

You may have tried tackling this problem using privilege levels like this:

If you’ve done this, you may have found that levels 0 and 1 grant very restricted access. But all other levels grant full access. This is where Command Policies come in.

You have to define the policies yourself. Once you’ve done that, you can grant limited access to the ASA. In the previous example, you could grant read-only access to a policy.

We’re going to have a look at how to create command policies, and apply them with RADIUS. This applies to the traditional ASA image, not Threat Defence.

Command Authorization is assigning commands to different privilege levels. There are two ways you can do this:

• Local Privilege Levels, where everything is configured on each ASA
• TACACS+, where configuration takes place on a central TACACS server

In this article, we’ll look at using local privilege levels. Later, we’ll use RADIUS to log on.

We use the privilege command to configure a command policy, as shown below.

The command at the very end is the command that we grant privileges to. In the example, we’re granting access to the running-config command.

The level is the privilege level that’s required to run the command. Here we require the user to have level 8 or greater to run the command.

Each command has a variant. These are show, clear, and cmd. In the example, we allow show running-config, but not clear or cmd. cmd refers to commands that change the configuration. If you don’t specify anything, the ASA will allow all three variants.

Some commands behave differently in exec (user or privileged) and configuration mode. The mode command optionally specifies which mode the privilege applies to.

The example below contains the commands needed to get ASDM access working.

The default behaviour is for privilege levels to apply to accounts in the local database. External accounts default to privilege level 15.

Change this behaviour by enabling authorization with authentication servers. First, enable local command privileges:

Next, configure RADIUS logins to work with locally configured command policies:

On the RADIUS server, be sure to use the following settings:

• Service-Type: Administrative
• Vendor-ID: 3076
• Attribute-ID: 220
• Value: The privilege-level you want to assign

We’ll have a look at using Microsoft’s NPS, as it’s a common RADIUS solution.

I’m going to assume that you already have NPS installed and basically set up. This also assumes that you have a RADIUS policy already configured. We’re just going to add command authorization functions here.

Edit your network policy, and Click the Settings tab. Under Standard RADIUS attributes, add Service-Type, and set it to Administrative.

Under Vendor Specific RADIUS attributes, add a Vendor Specific Attribute.

1. Set the Vendor to Custom
2. From the attributes list, select the Vendor-Specific attribute

1. Add an Attribute Value
2. Select Enter Vendor Code, and use 3076 as the Vendor ID
3. Select Yes it conforms

Click the Configure Attribute button.

1. Set the Vendor-Assigned Attribute Number to 220
2. Set the Attribute format to Decimal
3. Set the Attribute Value to the privilege-level

Finished config: