Re: OT:PIX read only user addition

From: Todd Veillette (tveillette@myeastern.com)
Date: Mon Sep 19 2005 - 23:34:29 GMT-3

Do you have Tacacs+ or are you doing this all locally? You need to
authorization set up for the 15 and the 2 users.

-TV

----- Original Message -----
From: "Mohamed.N" <mohamed_n@sifycorp.com>
To: <ccielab@groupstudy.com>
Sent: Monday, September 19, 2005 8:35 AM
Subject: Re: OT:PIX read only user addition

> Hi John,
> I already tried with that page,
> iam not getting desired results.
> If i configure a user in level 2,most of the commands are accesible.Even a
> level 2 user can delete other users in higher level.
> This is not exactly i want.
> I want the user to see the output of only 2 commands.
> The user should not be able to goto configure mode,shouldnot be able to
> save
> the configs etc.
>
> In router,we can type "enable 2 " , but in PIX it is not accepting,it says
> once AAA server is configured,we cant use enable 2!!!
>
> Regards
> Mohamed
> ----- Original Message -----
> From: "john matijevic" <john.matijevic@gmail.com>
> To: "Mohamed.N" <mohamed_n@sifycorp.com>
> Cc: <ccielab@groupstudy.com>
> Sent: Monday, September 19, 2005 4:06 PM
> Subject: Re: OT:PIX read only user addition
>
>
>> Hello Mohamed,
>> I gather the following information off of Cisco web site:
>> Understanding Privilege Settings
>>
>> Most commands in the PIX are at level 15, although a few are at level 0.
> To
>> show current settings for all commands, issue the following command.
>>
>> *show privilege all*
>>
>> Most commands are at level 15 by default, as shown in the following
> example.
>>
>> *privilege configure level 15 command route*
>>
>> A few are at level 0, as shown in the following example.
>>
>> *privilege show level 0 command curpriv*
>>
>> The following examples address the *clock* command. To determine the
> current
>> settings for the *clock* command, issue the following command.
>>
>> *show privilege command clock*
>>
>> The output of the *show privilege command clock* command shows us the
> *clock
>> * command exists in the following three forms.
>>
>> *!--- Users at level 15 can issue the show clock command.**privilege
>> show level 15 command clock**!--- Users at level 15 can issue the
>> clear clock command.**Privilege clear level 15 command clock**!---
>> Users at level 15 can configure the clock
>> !--- (for example, clock set 12:00:00 Jan 01 2001).**privilege
>> configure level 15 command clock*
>>
>> see the following link for additional details:
>>
>>
> http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_
>> note09186a00800949d6.shtml
>> Sincerely,
>> John
>>
>>
>> On 9/19/05, Mohamed.N <mohamed_n@sifycorp.com> wrote:
>> >
>> > Hi All,
>> > Sorry for OT.But i spent lot of time in this.
>> > I want to add a user in pix, who can do only this 2 commands
>> > show crypto isakmp sa
>> > show interface
>> > This user should not save the config,goto config mode or be able to do
> any
>> > config changes.
>> >
>> > I tried searching many pages.
>> > I tried using these commands
>> >
>> > enable password XXXX level 2
>> > username user pass XXXX priv 2
>> > privilege show level 2 command crypto
>> > privilege show level 2 command interface
>> >
>> > But there is no restriction.If i choose level 1 or 0,i am unable to
>> > goto
>> > enable mode at all,so i cant use the commands show crypto
>> >
>> > Also i want to know what is difference between level 1 ,level 2 like
>> > that..and
>> > what significance it has in controlling the access to PIX ?
>> >
>> >
>> > Regards
>> > N Mohamed
>> > Senior Network Engineer
>> > Technology-MIITS
>> > Sify Ltd
>> > Phone : +91-44-22540777 extn: 2082
>> > Mobile : +91-98401-27734
>> > Email : mohamed_n@sifycorp.com
>> > ********** DISCLAIMER **********
>> > Information contained and transmitted by this E-MAIL is proprietary to
>> > Sify Limited and is intended for use only by the individual or entity
>> > to
>> > which it is addressed, and may contain information that is privileged,
>> > confidential or exempt from disclosure under applicable law. If this is
> a
>> > forwarded message, the content of this E-MAIL may not have been sent
> with
>> > the authority of the Company. If you are not the intended recipient, an
>> > agent of the intended recipient or a person responsible for delivering
> the
>> > information to the named recipient, you are notified that any use,
>> > distribution, transmission, printing, copying or dissemination of this
>> > information in any way or in any manner is strictly prohibited. If you
>> > have
>> > received this communication in error, please delete this mail & notify
> us
>> > immediately at admin@sifycorp.com
>> >
>> > www.sify.com <http://www.sify.com> - your homepage on the internet for
>> > news, sports, finance,
>> > astrology, movies, entertainment, food, languages etc
>> >
>> > _______________________________________________________________________
>> > Subscription information may be found at:
>> > http://www.groupstudy.com/list/CCIELab.html
>> >
>>
>>
>>
>> --
>> John Matijevic, CCIE #13254
>> U.S. Installation Group
>> Senior Network Engineer
>> 954-969-7160 ext. 1147 (office)
>> 305-321-6232 (cell)
>>
>> _______________________________________________________________________
>> Subscription information may be found at:
>> http://www.groupstudy.com/list/CCIELab.html
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html

This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3