PIX – ASDM Read Only Account

When trying to create a Read only account (Priv Level 5), and logging into the ASDM using your readonly account you receive the following error,

you do not have sufficient privileges to execute commands required to load asdm

Solution

This is due to the privilege levels not being configured correctly. The following will give you the following 2 accounts,

Monitor-Only - Privilege level 3
Read-Only - Privilege level 5

1. Set your AAA settings (be careful adjusting the AAA settings already in place as this could lock you out of the firewall !), and also remember that if you set the AAA authorization command this will enforce all privilege levels.

aaa authentication ssh console LOCAL
 aaa authorization command LOCAL

2. Set your privilege level settings,

privilege cmd level 3 mode exec command perfmon
 privilege cmd level 3 mode exec command ping
 privilege cmd level 3 mode exec command who
 privilege cmd level 3 mode exec command logging
 privilege cmd level 3 mode exec command failover
 privilege cmd level 3 mode exec command packet-tracer
 privilege show level 3 mode exec command reload
 privilege show level 3 mode exec command mode
 privilege show level 3 mode exec command firewall
 privilege show level 3 mode exec command cpu
 privilege show level 3 mode exec command interface
 privilege show level 3 mode exec command clock
 privilege show level 3 mode exec command dns-hosts
 privilege show level 3 mode exec command access-list
 privilege show level 3 mode exec command logging
 privilege show level 3 mode exec command vlan
 privilege show level 3 mode exec command ip
 privilege show level 3 mode exec command failover
 privilege show level 3 mode exec command arp
 privilege show level 3 mode exec command route
 privilege show level 3 mode exec command ospf
 privilege show level 3 mode exec command aaa-server
 privilege show level 3 mode exec command aaa
 privilege show level 3 mode exec command eigrp
 privilege show level 3 mode exec command crypto
 privilege show level 3 mode exec command vpn-sessiondb
 privilege show level 3 mode exec command ssh
 privilege show level 3 mode exec command dhcpd
 privilege show level 3 mode exec command vpn
 privilege show level 3 mode exec command blocks
 privilege show level 3 mode exec command wccp
 privilege show level 3 mode exec command uauth
 privilege show level 3 mode configure command interface
 privilege show level 3 mode configure command clock
 privilege show level 3 mode configure command access-list
 privilege show level 3 mode configure command logging
 privilege show level 3 mode configure command ip
 privilege show level 3 mode configure command failover
 privilege show level 3 mode configure command arp
 privilege show level 3 mode configure command route
 privilege show level 3 mode configure command aaa-server
 privilege show level 3 mode configure command aaa
 privilege show level 3 mode configure command crypto
 privilege show level 3 mode configure command ssh
 privilege show level 3 mode configure command dhcpd
 privilege clear level 3 mode exec command dns-hosts
 privilege clear level 3 mode exec command logging
 privilege clear level 3 mode exec command arp
 privilege clear level 3 mode exec command aaa-server
 privilege clear level 3 mode exec command crypto
 privilege cmd level 3 mode configure command failover
 privilege clear level 3 mode configure command logging
 privilege clear level 3 mode configure command arp
 privilege clear level 3 mode configure command crypto
 privilege clear level 3 mode configure command aaa-server

 privilege show level 5 mode exec command running-config
 privilege show level 5 mode configure command privilege
 privilege cmd level 5 mode route-map command set
 privilege cmd level 5 mode mpf-policy-map-class command set

3. Configure your accounts,

username fullaccess password abc123 privilege 15
 username readonly password abc123 privilege 5
 username monitor password abc123 privilege 3

Additional Notes

By default the ASDM will only honor 3 different levels, priv 3(read only), priv 5(monitor), priv15(admin).
For WebVPN configuration like bookmarks, smart-tunnels or portal customization, the ASDM loads the xml file and that functionality is pre-defined for privilege 15 users and it’s something we cannot change. We would need to use a privilege 15 for this changes.

• Author
• Recent Posts

Rick Donato

Rick Donato is a Network Automation Architect/Evangelist and the founder of Packet Coders.

Latest posts by Rick Donato (see all)

• How to Configure a BIND Server on Ubuntu - March 15, 2018
• What is a BGP Confederation? - March 6, 2018
• Cisco – What is BGP ORF (Outbound Route Filtering)? - March 5, 2018

Want to become an IT Security expert?

Here is our hand-picked selection of the best courses you can find online:
Internet Security Deep Dive course
Complete Cyber Security Course – Hackers Exposed
CompTIA Security+ (SY0-601) Certification Complete course
and our recommended certification practice exams:
AlphaPrep Practice Tests - Free Trial