Cisco Support Community
cancel
Showing results for 
Search instead for 
Did you mean: 
Announcements
Step-by-Step Configuration and Troubleshooting Best Practices for the NGFW, NGIPS and AMP Technologies A Visual Guide to the Cisco Firepower Threat Defense (FTD)
Community Member

ASA5505: privilege levels (username)

Hi,

Newbie here with a few questions. I've recently moved away from a call center job (phew!) and moved into a position which requires me to configure/deploy ASA5505 devices. Although I feel at ease with basic deployment and basic ACLs, I ran into a few things which have my scratching my head. I started looking into creating additional usernames on an ASA5505. So I create a username "godine" and didn't assign it a privilege level, therefore by default it gets privilege level 2:

ciscoasa5505# show run all username

username godine password XXXXXXX encrypted privilege 2

Why is it that even with that user, I'm able to run commands that require a privilege level of 15? As an example:

ciscoasa5505# show run all privilege | grep pwd

privilege cmd level 15 mode exec command pwd

From that information, it seems that "pwd" requires level 15 acess, however, I'm currently logged in with the user "godine" and when I run pwd:

ciscoasa5505# pwd

disk0:/

Furthermore, what is the purpose of "service-type admin" under username XXXX attribute.

Thanks in advance for all the responses!

Erik

5 REPLIES

Re: ASA5505: privilege levels (username)

Are you sure you are logged in with the user "godine" when issuing command

ciscoasa5505# show run all privilege | grep pwd

Community Member

Re: ASA5505: privilege levels (username)

Since the username "godine" isn't an accepted username when SSH'ing to the device, I first logged in with pix. Once logged in with pix, I use the "login" command and login with godine. My understanding of things is, that if I would like to login with godine via SSH (without using the pix username) I'd have to use AAA instead of the local database.

Re: ASA5505: privilege levels (username)

Use this command, so that it uses local DB for authentication. Then login with the priv 2 user "godine"

aaa authentication ssh console LOCAL

Community Member

Re: ASA5505: privilege levels (username)

I'm already logging in with username "godine". At no time do I ever type the command "enable". Thanks for your input.

Community Member

Re: ASA5505: privilege levels (username)

So with some digging around, I found an answer to my question. access levels (1-15) aren't relevant much unless you authorize command authorization:

aaa authorization command LOCAL

2794
Views
3
Helpful
5
Replies
CreatePlease to create content