5

I am setting up our new ASA's at Stack Exchange and am trying to follow some best practices like using configuration management and minimum-permissions-necessary users. What I'm trying to do is utilize the https server to download the running config. If you were unaware, when https is enabled and you have sufficient priviledges, you can go to https://asa-ip/config to download the current running config.

There are two problems I am trying to solve:

  1. I have setup LDAP access for the ASA so that we can use our Active Directory to auth to the ASA. It works via ssh, but http still seems to use LOCAL database, and I'm unaware of the command to cause the http server to lookup from the LDAP source.

  2. Which aaa commands are necessary to authorize a lower-privilege user the ability to download the config in this manner? Is this even possible or am I stuck making a priv 15 user?

Peter Grace
  • 3,446
  • 1
  • 26
  • 42

1 Answers1

5

Your AAA command is aaa authentication http console [your LDAP server group]

As far as the privilege level for that URL, it should just use the show run authorization level which you can change with privilege show level 1 mode exec command running-config but you might try turning on debug aaa authorization if that doesn't work.

By default only a few commands are set to level 0 and the rest are level 15

Remember that privilege level 2+ are enable-mode privileges and that you may need to put your user at level 2 or higher in order to get the HTTPS server to allow them to login.

FWIW I tested this on my ASA with 8.2 code and was unable to get this to work with a user under level 15 even with show run set to privilege level 2. I usually see configuration management accomplished with a command-line solution like Rancid

resmon6
  • 1,342
  • 6
  • 8
  • Thanks, this was indeed the solution; as an addenda, I created a service account that was put into a group which through an attribute-map is set to helpdesk level. This permits the login to copy the config but doesn't allow the account to access enable mode on the cli. – Peter Grace Mar 30 '12 at 14:55
  • One more thing. If you want to copy the full configuration with all passwords and keys intact you can use `more system:running-config`. This is useful if you have VPNs using preshared keys on your ASA. – resmon6 Mar 30 '12 at 15:11
  • This is interesting, but I don't know if I could save that file from http which was the main thing. I didn't want to write an expect script to back up the ASA unless I had to; the http method is so painfully simple. – Peter Grace Mar 30 '12 at 18:58