You are the administrator of a Cisco ASA 9.0 firewall and have been tasked with ensuring that the
Firewall Admins Active Directory group has full access to the ASA configuration. The Firewall
Operators Active Directory group should have a more limited level of access.
Which statement describes how to set these access levels?
A.
Use Cisco Directory Agent to configure the Firewall Admins group to have privilege level 15
access. Also configure the Firewall Operators group to have privilege level 6 access.
B.
Use TACACS+ for Authentication and Authorization into the Cisco ASA CLI, with ACS as the
AAA server. Configure ACS CLI command authorization sets for the Firewall Operators group.
Configure level 15 access to be assigned to members of the Firewall Admins group.
C.
Use RADIUS for Authentication and Authorization into the Cisco ASA CLI, with ACS as the
AAA server. Configure ACS CLI command authorization sets for the Firewall Operators group.
Configure level 15 access to be assigned to members of the Firewall Admins group.
D.
Active Directory Group membership cannot be used as a determining factor for accessing the
Cisco ASA CLI.
I think the answer could be A. The CDA and link with the AD and should be able to allocate the privilege as needed. I would appreciate some feedback on this one.
I think the CDA can not give Authorization, only Authentication, and the question here asking for Authorization, which leaves us with B.
Answer is correct:
https://www.cisco.com/c/en/us/td/docs/security/asa/asa90/configuration/guide/asa_90_cli_config/aaa_idfw.html
and
https://www.cisco.com/c/en/us/td/docs/security/asa/asa91/configuration/general/asa_91_general_config/aaa_tacacs.html