Re: OT:PIX read only user addition

From: Mohamed.N (mohamed_n@sifycorp.com)
Date: Mon Sep 19 2005 - 09:35:44 GMT-3

• Next message: Ralph: "RE : Encap Failed "Router on a Stick""
• Previous message: nenad pudar: "Re: OSPF ABR Type 3 LSA Filtering"
• Maybe in reply to: Mohamed.N: "OT:PIX read only user addition"
• Next in thread: john matijevic: "Re: OT:PIX read only user addition"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi John,
I already tried with that page,
iam not getting desired results.
If i configure a user in level 2,most of the commands are accesible.Even a
level 2 user can delete other users in higher level.
This is not exactly i want.
I want the user to see the output of only 2 commands.
The user should not be able to goto configure mode,shouldnot be able to save
the configs etc.

In router,we can type "enable 2 " , but in PIX it is not accepting,it says
once AAA server is configured,we cant use enable 2!!!

Regards
Mohamed
----- Original Message -----
From: "john matijevic" <john.matijevic@gmail.com>
To: "Mohamed.N" <mohamed_n@sifycorp.com>
Cc: <ccielab@groupstudy.com>
Sent: Monday, September 19, 2005 4:06 PM
Subject: Re: OT:PIX read only user addition

> Hello Mohamed,
> I gather the following information off of Cisco web site:
> Understanding Privilege Settings
>
> Most commands in the PIX are at level 15, although a few are at level 0.
To
> show current settings for all commands, issue the following command.
>
> *show privilege all*
>
> Most commands are at level 15 by default, as shown in the following
example.
>
> *privilege configure level 15 command route*
>
> A few are at level 0, as shown in the following example.
>
> *privilege show level 0 command curpriv*
>
> The following examples address the *clock* command. To determine the
current
> settings for the *clock* command, issue the following command.
>
> *show privilege command clock*
>
> The output of the *show privilege command clock* command shows us the
*clock
> * command exists in the following three forms.
>
> *!--- Users at level 15 can issue the show clock command.**privilege
> show level 15 command clock**!--- Users at level 15 can issue the
> clear clock command.**Privilege clear level 15 command clock**!---
> Users at level 15 can configure the clock
> !--- (for example, clock set 12:00:00 Jan 01 2001).**privilege
> configure level 15 command clock*
>
> see the following link for additional details:
>
>
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_
> note09186a00800949d6.shtml
> Sincerely,
> John
>
>
> On 9/19/05, Mohamed.N <mohamed_n@sifycorp.com> wrote:
> >
> > Hi All,
> > Sorry for OT.But i spent lot of time in this.
> > I want to add a user in pix, who can do only this 2 commands
> > show crypto isakmp sa
> > show interface
> > This user should not save the config,goto config mode or be able to do
any
> > config changes.
> >
> > I tried searching many pages.
> > I tried using these commands
> >
> > enable password XXXX level 2
> > username user pass XXXX priv 2
> > privilege show level 2 command crypto
> > privilege show level 2 command interface
> >
> > But there is no restriction.If i choose level 1 or 0,i am unable to goto
> > enable mode at all,so i cant use the commands show crypto
> >
> > Also i want to know what is difference between level 1 ,level 2 like
> > that..and
> > what significance it has in controlling the access to PIX ?
> >
> >
> > Regards
> > N Mohamed
> > Senior Network Engineer
> > Technology-MIITS
> > Sify Ltd
> > Phone : +91-44-22540777 extn: 2082
> > Mobile : +91-98401-27734
> > Email : mohamed_n@sifycorp.com
> > ********** DISCLAIMER **********
> > Information contained and transmitted by this E-MAIL is proprietary to
> > Sify Limited and is intended for use only by the individual or entity to
> > which it is addressed, and may contain information that is privileged,
> > confidential or exempt from disclosure under applicable law. If this is
a
> > forwarded message, the content of this E-MAIL may not have been sent
with
> > the authority of the Company. If you are not the intended recipient, an
> > agent of the intended recipient or a person responsible for delivering
the
> > information to the named recipient, you are notified that any use,
> > distribution, transmission, printing, copying or dissemination of this
> > information in any way or in any manner is strictly prohibited. If you
> > have
> > received this communication in error, please delete this mail & notify
us
> > immediately at admin@sifycorp.com
> >
> > www.sify.com <http://www.sify.com> - your homepage on the internet for
> > news, sports, finance,
> > astrology, movies, entertainment, food, languages etc
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
> >
>
>
>
> --
> John Matijevic, CCIE #13254
> U.S. Installation Group
> Senior Network Engineer
> 954-969-7160 ext. 1147 (office)
> 305-321-6232 (cell)
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

• Next message: Ralph: "RE : Encap Failed "Router on a Stick""
• Previous message: nenad pudar: "Re: OSPF ABR Type 3 LSA Filtering"
• Maybe in reply to: Mohamed.N: "OT:PIX read only user addition"
• Next in thread: john matijevic: "Re: OT:PIX read only user addition"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3