I have AAA authentication enabled for PDM connections on a 515E Firewall. However i am able to connect using a username (with privilege level 1) to PDM and can make ANY Changes\Modifcations and SAVE them to Flash.
However with the same user "telnet" to PIX doesn't get any privilege commands as desired.
With reference to the below config, i can login with username "yyyy" to PDM and have FULL Access. Why ?
--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
PDM does default to giving users full access, don't ask me why. To restrict certain users to only being able to look at the config, assign those PDM users to a specific privilege level, then move certain commands down to that level and enable command authorization.
The commands listed are the ones PDM runs on your PIX when it first starts up, you have to give that user privilege to run those commands at their privilege level, that way PDM will start up fine. Whenever they make a change and try and apply it though, since that is a level 15 function they'll get an error. If they Telnet/SSh directly into the PIX, they can still type "en" to get to level 15 and do whatever they like from there, so it shouldn't make any difference that way.
"aaa authorization command LOCAL" is required to enable the authorization for PDM. For telnet or other access, unlike PDM, you are forced to enter the enable password, which in your case the same password as your user password. So, user's enable access (i.e., what commands users are allowed to execute) is limited to the user priv level defined for your user, in your case thats 1. But you don't have that option (to enter the enable password) when use PDM. Thats why "aaa authorization command" is required.
Table of ContentsIntroductionVersion HistoryPossible Future
UpdatesDocuments PurposeNAT Operation in ASA 8.3+ SectionsRule Types
Network Object NATTwice NAT / Manual NATRule Types used per SectionNAT
Types used with Twice NAT / Manual NAT and Network Obje...
Table of Contents Introduction:This document describes details on how
NAT-T works. Background: ESP encrypts all critical information,
encapsulating the entire inner TCP/UDP datagram within an ESP header.
ESP is an IP protocol in the same sense that TCP an...