From: Mohamed.N (mohamed_n@sifycorp.com)
Date: Tue Sep 20 2005 - 03:39:08 GMT-3
I am not using tacacs , iam doing locally.
I have attached the configs, please help me
I have removed the ACLs and some other unwanted commands for simplicity.
I have some 6 or 7 users, who are administrators.They will login using their
username and password,locally and not TACACS/RADIUS.
I want to create a user, who should can do only these commands
show crypto isa sa
show interface
I dont want that user to go to config mode, to save the config or any other
critical thing that could bring the firewall down.
Thanks a lot
Mohamed.
----- Original Message -----
From: "Todd Veillette" <tveillette@myeastern.com>
To: "Mohamed.N" <mohamed_n@sifycorp.com>; <ccielab@groupstudy.com>
Sent: Tuesday, September 20, 2005 8:04 AM
Subject: Re: OT:PIX read only user addition
> Do you have Tacacs+ or are you doing this all locally? You need to
> authorization set up for the 15 and the 2 users.
>
> -TV
>
> ----- Original Message -----
> From: "Mohamed.N" <mohamed_n@sifycorp.com>
> To: <ccielab@groupstudy.com>
> Sent: Monday, September 19, 2005 8:35 AM
> Subject: Re: OT:PIX read only user addition
>
>
> > Hi John,
> > I already tried with that page,
> > iam not getting desired results.
> > If i configure a user in level 2,most of the commands are accesible.Even
a
> > level 2 user can delete other users in higher level.
> > This is not exactly i want.
> > I want the user to see the output of only 2 commands.
> > The user should not be able to goto configure mode,shouldnot be able to
> > save
> > the configs etc.
> >
> > In router,we can type "enable 2 " , but in PIX it is not accepting,it
says
> > once AAA server is configured,we cant use enable 2!!!
> >
> > Regards
> > Mohamed
> > ----- Original Message -----
> > From: "john matijevic" <john.matijevic@gmail.com>
> > To: "Mohamed.N" <mohamed_n@sifycorp.com>
> > Cc: <ccielab@groupstudy.com>
> > Sent: Monday, September 19, 2005 4:06 PM
> > Subject: Re: OT:PIX read only user addition
> >
> >
> >> Hello Mohamed,
> >> I gather the following information off of Cisco web site:
> >> Understanding Privilege Settings
> >>
> >> Most commands in the PIX are at level 15, although a few are at level
0.
> > To
> >> show current settings for all commands, issue the following command.
> >>
> >> *show privilege all*
> >>
> >> Most commands are at level 15 by default, as shown in the following
> > example.
> >>
> >> *privilege configure level 15 command route*
> >>
> >> A few are at level 0, as shown in the following example.
> >>
> >> *privilege show level 0 command curpriv*
> >>
> >> The following examples address the *clock* command. To determine the
> > current
> >> settings for the *clock* command, issue the following command.
> >>
> >> *show privilege command clock*
> >>
> >> The output of the *show privilege command clock* command shows us the
> > *clock
> >> * command exists in the following three forms.
> >>
> >> *!--- Users at level 15 can issue the show clock command.**privilege
> >> show level 15 command clock**!--- Users at level 15 can issue the
> >> clear clock command.**Privilege clear level 15 command clock**!---
> >> Users at level 15 can configure the clock
> >> !--- (for example, clock set 12:00:00 Jan 01 2001).**privilege
> >> configure level 15 command clock*
> >>
> >> see the following link for additional details:
> >>
> >>
> >
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_
> >> note09186a00800949d6.shtml
> >> Sincerely,
> >> John
> >>
> >>
> >> On 9/19/05, Mohamed.N <mohamed_n@sifycorp.com> wrote:
> >> >
> >> > Hi All,
> >> > Sorry for OT.But i spent lot of time in this.
> >> > I want to add a user in pix, who can do only this 2 commands
> >> > show crypto isakmp sa
> >> > show interface
> >> > This user should not save the config,goto config mode or be able to
do
> > any
> >> > config changes.
> >> >
> >> > I tried searching many pages.
> >> > I tried using these commands
> >> >
> >> > enable password XXXX level 2
> >> > username user pass XXXX priv 2
> >> > privilege show level 2 command crypto
> >> > privilege show level 2 command interface
> >> >
> >> > But there is no restriction.If i choose level 1 or 0,i am unable to
> >> > goto
> >> > enable mode at all,so i cant use the commands show crypto
> >> >
> >> > Also i want to know what is difference between level 1 ,level 2 like
> >> > that..and
> >> > what significance it has in controlling the access to PIX ?
> >> >
> >> >
> >> > Regards
> >> > N Mohamed
> >> > Senior Network Engineer
> >> > Technology-MIITS
> >> > Sify Ltd
> >> > Phone : +91-44-22540777 extn: 2082
> >> > Mobile : +91-98401-27734
> >> > Email : mohamed_n@sifycorp.com
> >> > ********** DISCLAIMER **********
> >> > Information contained and transmitted by this E-MAIL is proprietary
to
> >> > Sify Limited and is intended for use only by the individual or entity
> >> > to
> >> > which it is addressed, and may contain information that is
privileged,
> >> > confidential or exempt from disclosure under applicable law. If this
is
> > a
> >> > forwarded message, the content of this E-MAIL may not have been sent
> > with
> >> > the authority of the Company. If you are not the intended recipient,
an
> >> > agent of the intended recipient or a person responsible for
delivering
> > the
> >> > information to the named recipient, you are notified that any use,
> >> > distribution, transmission, printing, copying or dissemination of
this
> >> > information in any way or in any manner is strictly prohibited. If
you
> >> > have
> >> > received this communication in error, please delete this mail &
notify
> > us
> >> > immediately at admin@sifycorp.com
> >> >
> >> > www.sify.com <http://www.sify.com> - your homepage on the internet
for
> >> > news, sports, finance,
> >> > astrology, movies, entertainment, food, languages etc
> >> >
> >> >
This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3