Re: OT:PIX read only user addition

From: Mohamed.N (mohamed_n@sifycorp.com)
Date: Tue Sep 20 2005 - 06:46:21 GMT-3

• Next message: Niche: "Re: bgp route-reflector issue"
• Previous message: Jens Petter Eikeland: "bgp route-reflector issue"
• Maybe in reply to: Mohamed.N: "OT:PIX read only user addition"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Hi,

I agree with you, but if i gave like that,the user has write access
also..and can goto config mode!

I gave these commands..

username test password test privilege 2
privilege show level 2 command crypto
enable password test level 2

now if i ssh to pix, it asks for a username password..
it is normal enable password..then get in user mode..now we type enable to
get into privilege mode..so it asks for a username..here i gave test..then
password i gave,,now the user is logged in with full privileges..

in the user mode, if we give enable 2, to enter level 2,,it is not
accepting..

The actual screen!!!

I ssh to PIX------>
login as: pix
Sent username "pix"
pix@........64.74's password:
type help or '?' for a list of available commands.

INMAA-TDL-MIITS-PIX>
INMAA-TDL-MIITS-PIX> enable 2
Enabling to privilege levels is not allowed when configured for
AAA authentication. Use 'enable' only.

INMAA-TDL-MIITS-PIX>

INMAA-TDL-MIITS-PIX> ena
Username: test
Password: ****

INMAA-TDL-MIITS-PIX#

INMAA-TDL-MIITS-PIX# conf t

INMAA-TDL-MIITS-PIX(config)#

INMAA-TDL-MIITS-PIX# sh privil
privilege show level 2 command crypto

Pls help me out..

Regards
Mohamed.

----- Original Message -----
From: "Godswill Oletu" <oletu@inbox.lv>
To: "Mohamed.N" <mohamed_n@sifycorp.com>; <ccielab@groupstudy.com>
Sent: Tuesday, September 20, 2005 12:25 PM
Subject: Re: OT:PIX read only user addition

> Try...
>
> username admin1 password cisco1 privilege 7
> username admin2 password cisco2 privilege 7
> ...
> ...
> username admin7 password cisco7 privilege 7
> privilege show level 7 command crypto isa sa
> privilege show level 7 command interface
>
>
http://www.cisco.com/univercd/cc/td/doc/product/iaabu/pix/pix_62/config/sysmgmt.htm#xtocid2
>
> HTH
>
>
>
> ----- Original Message -----
> From: "Mohamed.N" <mohamed_n@sifycorp.com>
> To: <ccielab@groupstudy.com>
> Sent: Tuesday, September 20, 2005 2:39 AM
> Subject: Re: OT:PIX read only user addition
>
>
> >I am not using tacacs , iam doing locally.
> > I have attached the configs, please help me
> > I have removed the ACLs and some other unwanted commands for simplicity.
> >
> > I have some 6 or 7 users, who are administrators.They will login using
> > their
> > username and password,locally and not TACACS/RADIUS.
> >
> > I want to create a user, who should can do only these commands
> >
> > show crypto isa sa
> > show interface
> >
> > I dont want that user to go to config mode, to save the config or any
> > other
> > critical thing that could bring the firewall down.
> >
> > Thanks a lot
> > Mohamed.
> >
> > ----- Original Message -----
> > From: "Todd Veillette" <tveillette@myeastern.com>
> > To: "Mohamed.N" <mohamed_n@sifycorp.com>; <ccielab@groupstudy.com>
> > Sent: Tuesday, September 20, 2005 8:04 AM
> > Subject: Re: OT:PIX read only user addition
> >
> >
> >> Do you have Tacacs+ or are you doing this all locally? You need to
> >> authorization set up for the 15 and the 2 users.
> >>
> >> -TV
> >>
> >> ----- Original Message -----
> >> From: "Mohamed.N" <mohamed_n@sifycorp.com>
> >> To: <ccielab@groupstudy.com>
> >> Sent: Monday, September 19, 2005 8:35 AM
> >> Subject: Re: OT:PIX read only user addition
> >>
> >>
> >> > Hi John,
> >> > I already tried with that page,
> >> > iam not getting desired results.
> >> > If i configure a user in level 2,most of the commands are
> >> > accesible.Even
> > a
> >> > level 2 user can delete other users in higher level.
> >> > This is not exactly i want.
> >> > I want the user to see the output of only 2 commands.
> >> > The user should not be able to goto configure mode,shouldnot be able
to
> >> > save
> >> > the configs etc.
> >> >
> >> > In router,we can type "enable 2 " , but in PIX it is not accepting,it
> > says
> >> > once AAA server is configured,we cant use enable 2!!!
> >> >
> >> > Regards
> >> > Mohamed
> >> > ----- Original Message -----
> >> > From: "john matijevic" <john.matijevic@gmail.com>
> >> > To: "Mohamed.N" <mohamed_n@sifycorp.com>
> >> > Cc: <ccielab@groupstudy.com>
> >> > Sent: Monday, September 19, 2005 4:06 PM
> >> > Subject: Re: OT:PIX read only user addition
> >> >
> >> >
> >> >> Hello Mohamed,
> >> >> I gather the following information off of Cisco web site:
> >> >> Understanding Privilege Settings
> >> >>
> >> >> Most commands in the PIX are at level 15, although a few are at
level
> > 0.
> >> > To
> >> >> show current settings for all commands, issue the following command.
> >> >>
> >> >> *show privilege all*
> >> >>
> >> >> Most commands are at level 15 by default, as shown in the following
> >> > example.
> >> >>
> >> >> *privilege configure level 15 command route*
> >> >>
> >> >> A few are at level 0, as shown in the following example.
> >> >>
> >> >> *privilege show level 0 command curpriv*
> >> >>
> >> >> The following examples address the *clock* command. To determine the
> >> > current
> >> >> settings for the *clock* command, issue the following command.
> >> >>
> >> >> *show privilege command clock*
> >> >>
> >> >> The output of the *show privilege command clock* command shows us
the
> >> > *clock
> >> >> * command exists in the following three forms.
> >> >>
> >> >> *!--- Users at level 15 can issue the show clock command.**privilege
> >> >> show level 15 command clock**!--- Users at level 15 can issue the
> >> >> clear clock command.**Privilege clear level 15 command clock**!---
> >> >> Users at level 15 can configure the clock
> >> >> !--- (for example, clock set 12:00:00 Jan 01 2001).**privilege
> >> >> configure level 15 command clock*
> >> >>
> >> >> see the following link for additional details:
> >> >>
> >> >>
> >> >
> >
http://www.cisco.com/en/US/customer/products/hw/vpndevc/ps2030/products_tech_
> >> >> note09186a00800949d6.shtml
> >> >> Sincerely,
> >> >> John
> >> >>
> >> >>
> >> >> On 9/19/05, Mohamed.N <mohamed_n@sifycorp.com> wrote:
> >> >> >
> >> >> > Hi All,
> >> >> > Sorry for OT.But i spent lot of time in this.
> >> >> > I want to add a user in pix, who can do only this 2 commands
> >> >> > show crypto isakmp sa
> >> >> > show interface
> >> >> > This user should not save the config,goto config mode or be able
to
> > do
> >> > any
> >> >> > config changes.
> >> >> >
> >> >> > I tried searching many pages.
> >> >> > I tried using these commands
> >> >> >
> >> >> > enable password XXXX level 2
> >> >> > username user pass XXXX priv 2
> >> >> > privilege show level 2 command crypto
> >> >> > privilege show level 2 command interface
> >> >> >
> >> >> > But there is no restriction.If i choose level 1 or 0,i am unable
to
> >> >> > goto
> >> >> > enable mode at all,so i cant use the commands show crypto
> >> >> >
> >> >> > Also i want to know what is difference between level 1 ,level 2
like
> >> >> > that..and
> >> >> > what significance it has in controlling the access to PIX ?
> >> >> >
> >> >> >
> >> >> > Regards
> >> >> > N Mohamed
> >> >> > Senior Network Engineer
> >> >> > Technology-MIITS
> >> >> > Sify Ltd
> >> >> > Phone : +91-44-22540777 extn: 2082
> >> >> > Mobile : +91-98401-27734
> >> >> > Email : mohamed_n@sifycorp.com
> >> >> > ********** DISCLAIMER **********
> >> >> > Information contained and transmitted by this E-MAIL is
proprietary
> > to
> >> >> > Sify Limited and is intended for use only by the individual or
> >> >> > entity
> >> >> > to
> >> >> > which it is addressed, and may contain information that is
> > privileged,
> >> >> > confidential or exempt from disclosure under applicable law. If
this
> > is
> >> > a
> >> >> > forwarded message, the content of this E-MAIL may not have been
sent
> >> > with
> >> >> > the authority of the Company. If you are not the intended
recipient,
> > an
> >> >> > agent of the intended recipient or a person responsible for
> > delivering
> >> > the
> >> >> > information to the named recipient, you are notified that any use,
> >> >> > distribution, transmission, printing, copying or dissemination of
> > this
> >> >> > information in any way or in any manner is strictly prohibited. If
> > you
> >> >> > have
> >> >> > received this communication in error, please delete this mail &
> > notify
> >> > us
> >> >> > immediately at admin@sifycorp.com
> >> >> >
> >> >> > www.sify.com <http://www.sify.com> - your homepage on the internet
> > for
> >> >> > news, sports, finance,
> >> >> > astrology, movies, entertainment, food, languages etc
> >> >> >
> >> >> >
> > _______________________________________________________________________
> >> >> > Subscription information may be found at:
> >> >> > http://www.groupstudy.com/list/CCIELab.html
> >> >> >
> >> >>
> >> >>
> >> >>
> >> >> --
> >> >> John Matijevic, CCIE #13254
> >> >> U.S. Installation Group
> >> >> Senior Network Engineer
> >> >> 954-969-7160 ext. 1147 (office)
> >> >> 305-321-6232 (cell)
> >> >>
> >> >>

• Next message: Niche: "Re: bgp route-reflector issue"
• Previous message: Jens Petter Eikeland: "bgp route-reflector issue"
• Maybe in reply to: Mohamed.N: "OT:PIX read only user addition"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

This archive was generated by hypermail 2.1.4 : Sun Oct 02 2005 - 14:40:15 GMT-3