From: john matijevic (john.matijevic@gmail.com)
Date: Mon Sep 19 2005 - 10:47:20 GMT-3
Hello Mohamed,
Here is the output that I get from doing the show privilege command:
Try using teh level 0.
Sincerely,
John
test# sh priv all
privilege show level 15 command aaa
privilege clear level 15 command aaa
privilege configure level 15 command aaa
privilege show level 15 command aaa-server
privilege clear level 15 command aaa-server
privilege configure level 15 command aaa-server
privilege show level 15 command access-group
privilege clear level 15 command access-group
privilege configure level 15 command access-group
privilege show level 15 command access-list
privilege clear level 15 command access-list
privilege configure level 15 command access-list
privilege show level 15 command activation-key
privilege configure level 15 command activation-key
privilege show level 15 command age
privilege configure level 15 command age
privilege show level 15 command alias
privilege clear level 15 command alias
privilege configure level 15 command alias
privilege show level 15 command apply
privilege clear level 15 command apply
privilege configure level 15 command apply
privilege configure level 15 command area
privilege show level 15 command arp
privilege clear level 15 command arp
privilege configure level 15 command arp
privilege show level 15 command auth-prompt
privilege clear level 15 command auth-prompt
privilege configure level 15 command auth-prompt
privilege show level 15 command auto-update
privilege clear level 15 command auto-update
privilege configure level 15 command auto-update
privilege show level 15 command banner
privilege clear level 15 command banner
privilege configure level 15 command banner
privilege show level 15 command blocks
privilege clear level 15 command blocks
privilege show level 15 command ca
privilege clear level 15 command ca
privilege configure level 15 command ca
privilege show level 15 command capture
privilege clear level 15 command capture
privilege configure level 15 command capture
privilege show level 0 command checksum
privilege show level 15 command chunkstat
privilege show level 15 command clock
privilege clear level 15 command clock
privilege configure level 15 command clock
privilege configure level 15 command compatible
privilege show level 15 command conduit
privilege clear level 15 command conduit
privilege configure level 15 command conduit
privilege show level 15 mode configure command configure
privilege clear level 15 mode configure command configure
privilege configure level 15 mode configure command configure
privilege configure level 15 mode enable command configure
privilege show level 15 command conn
privilege configure level 15 command copy
privilege show level 15 command console
privilege clear level 15 command console
privilege configure level 15 command console
privilege show level 15 command cpu
privilege show level 15 command Crashinfo
privilege clear level 15 command Crashinfo
privilege configure level 15 command Crashinfo
privilege show level 15 command crypto
privilege clear level 15 command crypto
privilege configure level 15 command crypto
privilege show level 15 command ctiqbe
privilege show level 0 command curpriv
privilege show level 15 command debug
privilege configure level 15 command debug
privilege configure level 15 command default-information
privilege configure level 15 command distance
privilege show level 15 command dhcpd
privilege clear level 15 command dhcpd
privilege configure level 15 command dhcpd
privilege show level 15 command dhcprelay
privilege clear level 15 command dhcprelay
privilege configure level 15 command dhcprelay
privilege configure level 15 command disable
privilege show level 15 command domain-name
privilege configure level 15 command domain-name
privilege configure level 15 command description
privilege show level 15 command dynamic-map
privilege clear level 15 command dynamic-map
privilege configure level 15 command dynamic-map
privilege show level 15 command eeprom
privilege configure level 15 command eeprom
privilege configure level 0 mode enable command enable
privilege show level 15 mode configure command enable
privilege configure level 15 mode configure command enable
privilege show level 15 command established
privilege clear level 15 command established
privilege configure level 15 command established
privilege show level 15 command failover
privilege clear level 15 command failover
privilege configure level 15 command failover
privilege show level 15 command filter
privilege clear level 15 command filter
privilege configure level 15 command filter
privilege show level 15 command fixup
privilege clear level 15 command fixup
privilege configure level 15 command fixup
privilege show level 15 command flashfs
privilege clear level 15 command flashfs
privilege configure level 15 command flashfs
privilege show level 15 command fragment
privilege clear level 15 command fragment
privilege configure level 15 command fragment
privilege show level 15 command global
privilege clear level 15 command global
privilege configure level 15 command global
privilege show level 15 command h225
privilege show level 15 command h245
privilege show level 15 command h323-ras
privilege configure level 0 command help
privilege show level 0 command history
privilege configure level 15 command hostname
privilege show level 15 command http
privilege clear level 15 command http
privilege configure level 15 command http
privilege show level 15 command icmp
privilege clear level 15 command icmp
privilege configure level 15 command icmp
privilege configure level 15 command icmp-object
privilege show level 15 command interface
privilege clear level 15 command interface
privilege configure level 15 command interface
privilege configure level 15 mode configure command igmp
privilege show level 15 mode configure command igmp
privilege clear level 15 mode configure command igmp
privilege configure level 15 command ignore
privilege show level 15 command ip
privilege clear level 15 command ip
privilege configure level 15 command ip
privilege show level 15 command ipsec
privilege clear level 15 command ipsec
privilege configure level 15 command ipsec
privilege show level 15 command isakmp
privilege clear level 15 command isakmp
privilege configure level 15 command isakmp
privilege configure level 15 command kill
privilege show level 15 command local-host
privilege clear level 15 command local-host
privilege configure level 15 command log-adj-changes
privilege configure level 0 command login
privilege configure level 0 command logout
privilege show level 15 mode configure command logging
privilege clear level 15 mode configure command logging
privilege configure level 15 mode configure command logging
privilege clear level 15 mode enable command logging
privilege configure level 15 mode enable command logging
privilege show level 15 command mac-list
privilege clear level 15 command mac-list
privilege configure level 15 command mac-list
privilege show level 15 command map
privilege clear level 15 command map
privilege configure level 15 command map
privilege configure level 15 command match
privilege show level 15 command memory
privilege configure level 15 command memory
privilege show level 15 command mgcp
privilege clear level 15 command mgcp
privilege configure level 15 command mgcp
privilege show level 15 command management-access
privilege clear level 15 command management-access
privilege configure level 15 command management-access
privilege show level 15 command mroute
privilege clear level 15 command mroute
privilege configure level 15 command mroute
privilege show level 15 command mtu
privilege configure level 15 command mtu
privilege show level 15 command multicast
privilege clear level 15 command multicast
privilege configure level 15 command multicast
privilege show level 15 command name
privilege clear level 15 command name
privilege configure level 15 command name
privilege show level 15 command nameif
privilege clear level 15 command nameif
privilege configure level 15 command nameif
privilege show level 15 command names
privilege clear level 15 command names
privilege configure level 15 command names
privilege show level 15 command nat
privilege clear level 15 command nat
privilege configure level 15 command nat
privilege configure level 15 command network-object
privilege configure level 15 command network
privilege show level 15 command ntp
privilege clear level 15 command ntp
privilege configure level 15 command ntp
privilege show level 15 command object-group
privilege clear level 15 command object-group
privilege configure level 15 command object-group
privilege show level 15 mode configure command ospf
privilege clear level 15 mode configure command ospf
privilege configure level 15 mode configure command ospf
privilege show level 15 command outbound
privilege clear level 15 command outbound
privilege configure level 15 command outbound
privilege show level 0 command pager
privilege clear level 0 command pager
privilege configure level 0 command pager
privilege show level 15 command passwd
privilege clear level 15 command passwd
privilege configure level 15 command passwd
privilege show level 15 command pdm
privilege clear level 15 command pdm
privilege configure level 15 command pdm
privilege configure level 15 command ping
privilege show level 15 command prefix-list
privilege clear level 15 command prefix-list
privilege configure level 15 command prefix-list
privilege show level 15 command privilege
privilege clear level 15 command privilege
privilege configure level 15 command privilege
privilege show level 15 command processes
privilege configure level 15 command protocol-object
privilege configure level 0 command quit
privilege configure level 15 command redistribute
privilege configure level 15 command reload
privilege show level 15 command rip
privilege clear level 15 command rip
privilege configure level 15 command rip
privilege show level 15 command route
privilege clear level 15 command route
privilege configure level 15 command route
privilege show level 15 command route-map
privilege clear level 15 command route-map
privilege configure level 15 command route-map
privilege show level 15 command router
privilege configure level 15 command router
privilege configure level 15 command router-id
privilege show level 15 command routing
privilege configure level 15 command routing
privilege show level 15 command running-config
privilege show level 15 command service
privilege clear level 15 command service
privilege configure level 15 command service
privilege configure level 15 command set
privilege configure level 15 command setup
privilege configure level 15 command group-object
privilege show level 15 command shun
privilege clear level 15 command shun
privilege configure level 15 command shun
privilege show level 15 command sip
privilege configure level 15 command sip
privilege show level 15 command skinny
privilege show level 15 command snmp-server
privilege clear level 15 command snmp-server
privilege configure level 15 command snmp-server
privilege show level 15 command snmp
privilege clear level 15 command snmp
privilege configure level 15 command snmp
privilege show level 15 command ssh
privilege clear level 15 command ssh
privilege configure level 15 command ssh
privilege show level 15 command startup-config
privilege show level 15 command static
privilege clear level 15 command static
privilege configure level 15 command static
privilege configure level 15 command summary-address
privilege configure level 15 command port-object
privilege show level 15 command sysopt
privilege clear level 15 command sysopt
privilege configure level 15 command sysopt
privilege show level 15 command tcpstat
privilege show level 15 command tech-support
privilege show level 15 command telnet
privilege clear level 15 command telnet
privilege configure level 15 command telnet
privilege show level 15 command terminal
privilege clear level 15 command terminal
privilege configure level 15 command terminal
privilege show level 15 command tftp-server
privilege clear level 15 command tftp-server
privilege configure level 15 command tftp-server
privilege show level 15 command timeout
privilege clear level 15 command timeout
privilege configure level 15 command timeout
privilege configure level 15 command timers
privilege show level 15 command traffic
privilege clear level 15 command traffic
privilege show level 15 command uauth
privilege clear level 15 command uauth
privilege show level 15 command url-cache
privilege clear level 15 command url-cache
privilege configure level 15 command url-cache
privilege show level 15 command url-block
privilege clear level 15 command url-block
privilege configure level 15 command url-block
privilege show level 15 command url-server
privilege clear level 15 command url-server
privilege configure level 15 command url-server
privilege show level 15 command username
privilege clear level 15 command username
privilege configure level 15 command username
privilege show level 0 command version
privilege show level 15 command virtual
privilege clear level 15 command virtual
privilege configure level 15 command virtual
privilege show level 15 command vpdn
privilege clear level 15 command vpdn
privilege configure level 15 command vpdn
privilege show level 15 command vpnclient
privilege clear level 15 command vpnclient
privilege configure level 15 command vpnclient
privilege show level 15 command vpngroup
privilege clear level 15 command vpngroup
privilege configure level 15 command vpngroup
privilege show level 15 command who
privilege configure level 15 command who
privilege configure level 15 command write
privilege show level 15 command xlate
privilege clear level 15 command xlate
test#
On 9/19/05, Mohamed.N <mohamed_n@sifycorp.com> wrote:
>
> Hi John,
> I already tried with that page,
> iam not getting desired results.
> If i configure a user in level 2,most of the commands are accesible.Even a
> level 2 user can delete other users in higher level.
> This is not exactly i want.
> I want the user to see the output of only 2 commands.
> The user should not be able to goto configure mode,shouldnot be able to
> save
> the configs etc.
>
> In router,we can type "enable 2 " , but in PIX it is not accepting,it says
> once AAA server is configured,we cant use enable 2!!!
>
> Regards
> Mohamed
> ----- Original Message -----
> From: "john matijevic" <john.matijevic@gmail.com>
> To: "Mohamed.N" <mohamed_n@sifycorp.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Monday, September 19, 2005 4:06 PM
> Subject: Re: OT:PIX read only user addition
>
>
> > Hello Mohamed,
> > I gather the following information off of Cisco web site:
> > Understanding Privilege Settings
> >
> > Most commands in the PIX are at level 15, although a few are at level 0.
> To
> > show current settings for all commands, issue the following command.
> >
> > *show privilege all*
> >
> > Most commands are at level 15 by default, as shown in the following
> example.
> >
> > *privilege configure level 15 command route*
> >
> > A few are at level 0, as shown in the following example.
> >
> > *privilege show level 0 command curpriv*
> >
> > The following examples address the *clock* command. To determine the
> current
> > settings for the *clock* command, issue the following command.
> >
> > *show privilege command clock*
> >
> > The output of the *show privilege command clock* command shows us the
> *clock
> > * command exists in the following three forms.
> >
> > *!--- Users at level 15 can issue the show clock command.**privilege
> > show level 15 command clock**!--- Users at level 15 can issue the
> > clear clock command.**Privilege clear level 15 command clock**!---
> > Users at level 15 can configure the clock
> > !--- (for example, clock set 12:00:00 Jan 01 2001).**privilege
> > configure level 15 command clock*
> >
> > see the following link for additional details:
> >
> >
>
>
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_
> > note09186a00800949d6.shtml
> > Sincerely,
> > John
> >
> >
> > On 9/19/05, Mohamed.N <mohamed_n@sifycorp.com> wrote:
> > >
> > > Hi All,
> > > Sorry for OT.But i spent lot of time in this.
> > > I want to add a user in pix, who can do only this 2 commands
> > > show crypto isakmp sa
> > > show interface
> > > This user should not save the config,goto config mode or be able to do
> any
> > > config changes.
> > >
> > > I tried searching many pages.
> > > I tried using these commands
> > >
> > > enable password XXXX level 2
> > > username user pass XXXX priv 2
> > > privilege show level 2 command crypto
> > > privilege show level 2 command interface
> > >
> > > But there is no restriction.If i choose level 1 or 0,i am unable to
> goto
> > > enable mode at all,so i cant use the commands show crypto
> > >
> > > Also i want to know what is difference between level 1 ,level 2 like
> > > that..and
> > > what significance it has in controlling the access to PIX ?
> > >
> > >
> > > Regards
> > > N Mohamed
> > > Senior Network Engineer
> > > Technology-MIITS
> > > Sify Ltd
> > > Phone : +91-44-22540777 extn: 2082
> > > Mobile : +91-98401-27734
> > > Email : mohamed_n@sifycorp.com
> > > ********** DISCLAIMER **********
> > > Information contained and transmitted by this E-MAIL is proprietary to
> > > Sify Limited and is intended for use only by the individual or entity
> to
> > > which it is addressed, and may contain information that is privileged,
> > > confidential or exempt from disclosure under applicable law. If this
> is
> a
> > > forwarded message, the content of this E-MAIL may not have been sent
> with
> > > the authority of the Company. If you are not the intended recipient,
> an
> > > agent of the intended recipient or a person responsible for delivering
> the
> > > information to the named recipient, you are notified that any use,
> > > distribution, transmission, printing, copying or dissemination of this
> > > information in any way or in any manner is strictly prohibited. If you
> > > have
> > > received this communication in error, please delete this mail & notify
> us
> > > immediately at admin@sifycorp.com
> > >
> > > www.sify.com <http://www.sify.com> <http://www.sify.com> - your
> homepage on the internet for
> > > news, sports, finance,
> > > astrology, movies, entertainment, food, languages etc
> > >
> > >
> _______________________________________________________________________
> > > Subscription information may be found at:
> > > http://www.groupstudy.com/list/CCIELab.html
> > >
> >
> >
> >
> > --
> > John Matijevic, CCIE #13254
> > U.S. Installation Group
> > Senior Network Engineer
> > 954-969-7160 ext. 1147 (office)
> > 305-321-6232 (cell)
> >
> > _______________________________________________________________________
> > Subscription information may be found at:
> > http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
>
-- John Matijevic, CCIE #13254 U.S. Installation Group Senior Network Engineer 954-969-7160 ext. 1147 (office) 305-321-6232 (cell)
This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3