I am setting up our new ASA's at Stack Exchange and am trying to follow some best practices like using configuration management and minimum-permissions-necessary users. What I'm trying to do is utilize the https server to download the running config. If you were unaware, when https is enabled and you have sufficient priviledges, you can go to https://asa-ip/config to download the current running config.
There are two problems I am trying to solve:
I have setup LDAP access for the ASA so that we can use our Active Directory to auth to the ASA. It works via ssh, but http still seems to use LOCAL database, and I'm unaware of the command to cause the http server to lookup from the LDAP source.
Which aaa commands are necessary to authorize a lower-privilege user the ability to download the config in this manner? Is this even possible or am I stuck making a priv 15 user?
Your AAA command is
aaa authentication http console [your LDAP server group]As far as the privilege level for that URL, it should just use the
show runauthorization level which you can change withprivilege show level 1 mode exec command running-configbut you might try turning ondebug aaa authorizationif that doesn't work.By default only a few commands are set to level 0 and the rest are level 15
Remember that privilege level 2+ are enable-mode privileges and that you may need to put your user at level 2 or higher in order to get the HTTPS server to allow them to login.
FWIW I tested this on my ASA with 8.2 code and was unable to get this to work with a user under level 15 even with
show runset to privilege level 2. I usually see configuration management accomplished with a command-line solution like Rancid