Restrict multiple simultaneous FWSM administrators per Context?

Unanswered Question
Dec 10th, 2008
User Badges:

Is it possible to have multiple firewall administrators logged into a FWSM, across multiple contexts, but to ONLY allow one administrator per context with WRITE access/privileges? I want to prevent having multiple administrators working within the same context simultaneously, both with write privileges.


The aim is to ONLY have ONE administrator making changes to a context at a time… Is this possible?


  • 1
  • 2
  • 3
  • 4
  • 5
Overall Rating: 0 (0 ratings)
Loading.
vmoopeung Tue, 12/16/2008 - 09:58
User Badges:
  • Bronze, 100 points or more

The FWSM provides system administrator access in multiple context mode as well as access for individual context administrators.


The admin context is just like any other context, except that when you log in to the admin context, then you have system administrator rights and can access the system and all other contexts. The admin context is not restricted in any way, and can be used as a regular context. But, because logging into the admin context grants you administrator privileges over all contexts, you can possibly need to restrict access to the admin context to appropriate users. The admin context must reside on Flash memory, and not remotely.


If your system is already in multiple context mode, or if you convert from single mode, the admin context is created automatically as a file on the internal Flash memory called admin.cfg. This context is named admin. If you do not want to use admin.cfg as the admin context, you can change the admin context.

The sections in the below URL describe logging in as a system administrator or as a a context administrator:

http://www.cisco.com/en/US/products/hw/modules/ps2706/products_configuration_example09186a00809bfce4.shtml#man

cpresland Tue, 12/16/2008 - 10:33
User Badges:

Hi There, thanks for your response.


Let me explain further…


Authentication to our FWSM's is controlled using Cisco ACS - TACACS.


Administrators logging into any of the FWSM's, must authenticate against TACACS. All FWSM administrators have write privileges/access. No local authentication is allowed. We are in a situation where we have 15 or so FWSM administrators.


So at any one time, we can have multiple FWSM administrators with write privileges logged into the SAME context, making different simultaneous changes…

This is what I am trying to prevent. Multiple administrators logged into the same FWSM context, both making different changes at the same time…


Kind of like Checkpoint where there is ONLY ever 1 administrator logged in and making changes at any one time…


Actions

This Discussion