06-06-2003 03:09 PM - edited 03-10-2019 07:20 AM
Hi,
I have AAA authentication enabled for PDM connections on a 515E Firewall. However i am able to connect using a username (with privilege level 1) to PDM and can make ANY Changes\Modifcations and SAVE them to Flash.
However with the same user "telnet" to PIX doesn't get any privilege commands as desired.
With reference to the below config, i can login with username "yyyy" to PDM and have FULL Access. Why ?
Configuration is
username zzzzz password xxxxx encrypted privilege 15
username yyyyy password xxxxx encrypted privilege 1
show aaa
aaa authentication telnet console LOCAL
aaa authentication ssh console LOCAL
aaa authentication http console LOCAL
aaa authentication serial console LOCAL
aaa authentication enable console LOCAL
06-11-2003 06:19 PM
--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --
PDM does default to giving users full access, don't ask me why. To restrict certain users to only being able to look at the config, assign those PDM users to a specific privilege level, then move certain commands down to that level and enable command authorization.
The following works in my PIX:
username --moderator edit-- password --moderator edit-- encrypted privilege 9
privilege show level 9 command interface
privilege show level 9 command running-config
privilege show level 9 command aaa
privilege show level 9 command privilege
privilege show level 9 command pdm
privilege show level 9 command blocks
aaa authentication http console LOCAL
aaa authorization command LOCAL
The commands listed are the ones PDM runs on your PIX when it first starts up, you have to give that user privilege to run those commands at their privilege level, that way PDM will start up fine. Whenever they make a change and try and apply it though, since that is a level 15 function they'll get an error. If they Telnet/SSh directly into the PIX, they can still type "en" to get to level 15 and do whatever they like from there, so it shouldn't make any difference that way.
Have a read of http://www.cisco.com/warp/public/110/pix_command.shtml for more info on the command authorization stuff if you like.
06-11-2003 07:49 PM
Hi,
"aaa authorization command LOCAL" is required to enable the authorization for PDM. For telnet or other access, unlike PDM, you are forced to enter the enable password, which in your case the same password as your user password. So, user's enable access (i.e., what commands users are allowed to execute) is limited to the user priv level defined for your user, in your case thats 1. But you don't have that option (to enter the enable password) when use PDM. Thats why "aaa authorization command" is required.
I hope its clear ! Thanks,
Mynul
Find answers to your questions by entering keywords or phrases in the Search bar above. New here? Use these resources to familiarize yourself with the community: