Buy or Renew
Buy or Renew
Duo Security forums now LIVE! Get answers to all your Duo Security questions. Learn more
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
1602
Views
5
Helpful
2
Replies

Using AAA for PDM Access

mnlatif
Level 3
Level 3

‎06-06-2003 03:09 PM - edited ‎03-10-2019 07:20 AM

Hi,

I have AAA authentication enabled for PDM connections on a 515E Firewall. However i am able to connect using a username (with privilege level 1) to PDM and can make ANY Changes\Modifcations and SAVE them to Flash.

However with the same user "telnet" to PIX doesn't get any privilege commands as desired.

With reference to the below config, i can login with username "yyyy" to PDM and have FULL Access. Why ?

Configuration is

username zzzzz password xxxxx encrypted privilege 15

username yyyyy password xxxxx encrypted privilege 1

show aaa

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console LOCAL

Labels:
0 Helpful
2 Replies 2

gfullage
Cisco Employee
Cisco Employee

‎06-11-2003 06:19 PM

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

PDM does default to giving users full access, don't ask me why. To restrict certain users to only being able to look at the config, assign those PDM users to a specific privilege level, then move certain commands down to that level and enable command authorization.

The following works in my PIX:

username --moderator edit-- password --moderator edit-- encrypted privilege 9

privilege show level 9 command interface

privilege show level 9 command running-config

privilege show level 9 command aaa

privilege show level 9 command privilege

privilege show level 9 command pdm

privilege show level 9 command blocks

aaa authentication http console LOCAL

aaa authorization command LOCAL

The commands listed are the ones PDM runs on your PIX when it first starts up, you have to give that user privilege to run those commands at their privilege level, that way PDM will start up fine. Whenever they make a change and try and apply it though, since that is a level 15 function they'll get an error. If they Telnet/SSh directly into the PIX, they can still type "en" to get to level 15 and do whatever they like from there, so it shouldn't make any difference that way.

Have a read of http://www.cisco.com/warp/public/110/pix_command.shtml for more info on the command authorization stuff if you like.

mhoda
Level 5
Level 5

‎06-11-2003 07:49 PM

Hi,

"aaa authorization command LOCAL" is required to enable the authorization for PDM. For telnet or other access, unlike PDM, you are forced to enter the enable password, which in your case the same password as your user password. So, user's enable access (i.e., what commands users are allowed to execute) is limited to the user priv level defined for your user, in your case thats 1. But you don't have that option (to enter the enable password) when use PDM. Thats why "aaa authorization command" is required.

I hope its clear ! Thanks,

Mynul

0 Helpful
Getting Started

Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community:

Customers Also Viewed These Support Documents