You can use TACACS+
Usually, i suppose, you want to have two groups of Admin/Monitoring types of enforcement.
So i will give instructions based on that assumption that there will be:
- User who has Read/Write capabilities (privilege level 15)
- User who has Read only capabilities (privilege level 1)
First, Create two roles by going to Configuration > Identity > Roles
Role 1: TACACS_Admin_Role
Role 2: TACACS_Monitoring_Role
Then, go to Configuration > Identity > Role Mapping and create
Role Mapping 1: TACACS_Admin_RoleMap
Role Mapping 2: TACACS_Monitoring_RoleMap
Then go to Configuration > Enforcement > Profiles
Create two profiles with the following:
1. TACACS_Admin_Profile and on the service select privilege level 15, on the Selected Services select Shell and on the Custom service, make sure you have:
Type: Shell
Name: priv-lvl
Value: 15
Also, make sure you have under the commands tab, Service Type: Shell and also Unmatched Commands enabled (tick)
2. TACACS_Monitoring_Profile
and on the service select privilege level 1, on the Selected Services select Shell and on the Custom service, make sure you have:
Type: Shell
Name: priv-lvl
Value: 1
Also, make sure you have under the commands tab, Service Type: Shell and also Unmatched Commands enabled (tick)
After you create the Enforcement, go to Configuration > Enforcement > Policies.
Create a Policy TACACS_Enforcement_Policy and under rules apply the rules you desire, with the enforcement profiles created.
For the service, i would suggest the following:
Add the devices as a Group. So first, go to Configuration > Network > Devices. Add the devices (ASA-FW) here with correct Key for TACACS+.
Under vendor name select: CISCO (no do not select CISCO-ASA, it didnt work for me).
Then Create a Device group under Network > Device Groups, where you place the devices you want to have access to example: TACACS_Devices
After that, create the service for TACACS+ and on the Service Rule configure:
Type: Connection
Name: NAD-IP-Address
Operator: Belongs_to_Group
Value: TACACS_Devices.
Sorry for making it so long on the post, but i hope this will help.
If you have any issues, contact me.