Firewall Wizards mailing list archives
RE: Privileged mode access in a Pix
From: "Sonya Gilly" <sgilly () servicom2000 com>
Date: Wed, 20 Jun 2001 09:23:18 +0200
The problem I have found is that Pixes neither support different privilege levels nor authorization for commands. That configuration is OK for routers or switches (with IOS), but Pixes don't support the same commands as those devices with IOS. Then, I can authorize in Tacacs the commands introduced by users in all my network except in Pixes. Please, tell us if you find something when you receive that Pix. Thank you very much for your help. Sonya -----Mensaje original----- De: Yang Lee [mailto:ylee () net50 com] Enviado el: martes, 19 de junio de 2001 21:26 Para: sgilly () servicom2000 com CC: ylee () net50 com; firewall-wizards () nfr com Asunto: RE: [fw-wiz] Privileged mode access in a Pix Cisco provided a commercial tacacs+ server CiscoSecure Access Control Server. Also you can download a stripped-down tacacs+ daemon. I'll prefer the former simply you can get better support. Anyway, something similiar as the following should work: In Pix: ! Authorization aaa authorization exec default local group tacacs+ aaa authorization commands 1 default local group tacacs+ ! valid only ACS offline aaa authorization commands 15 default local group tacacs+ if- authenticated ----------------------------------------------------------------- In Tacacs+ server: user = test { profile_id = 113 set server current-failed-logins = 0 profile_cycle = 104 member = voiceng password = clear "********" service=exec { set priv-lvl=15 } service=shell { default cmd=permit allow "^192\.168\.110\.85$" ".*" ".*" refuse ".*" ".*" ".*" } } ------------------------------------------------------------- The code will work for IOS 12.0. I don't have a PIX in hand to test it out. Probably I'll get one later next week to try it out. May be you can publish your test result by then. Good luck.
We are using TAC_PLUS from Cisco and we have defined different user profiles. The problem is that I can't configure the privileged level 15 and access directly to the enable mode. All this is because there are users that can't know the enable password. In routers, they access with privileged level 15 directly to the privileged mode, and they only can type the commands specified in the TACACS. But in the PIX, they only have access to the unprivileged mode, so they can't do anything without the enable password. Do you know if it is possible with a Pix? Thanks in advance, Sonya -----Mensaje original----- De: Yang Lee [mailto:ylee () net50 com] Enviado el: martes, 19 de junio de 2001 3:49 Para: sgilly () servicom2000 com CC: firewall-wizards () nfr com Asunto: Re: [fw-wiz] Privileged mode access in a Pix Modify the account user profile in tacacs+ server. What kind of tacacs+ server you are using by the way?I'm trying to configure authorization in a Pix. I have the following commands in a Cisco router, but I haven't found the equivalence in Pix configuration: aaa authorization exec default tacacs+ if-authenticated aaa authorization commands 15 default tacacs+ if-authenticated I would like to access the Pix directly in privileged mode through SSH, and limiting the enabled commands for different users in the TACACS+ server. Do you know if this is possible in a Pix? (The firewall version is 5.3.1) Thanks in advance, Sonya _______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
_______________________________________________ firewall-wizards mailing list firewall-wizards () nfr com http://www.nfr.com/mailman/listinfo/firewall-wizards
Current thread:
- Privileged mode access in a Pix Sonya Gilly (Jun 18)
- Re: Privileged mode access in a Pix Yang Lee (Jun 19)
- RE: Privileged mode access in a Pix Sonya Gilly (Jun 19)
- RE: Privileged mode access in a Pix Yang Lee (Jun 19)
- RE: Privileged mode access in a Pix Sonya Gilly (Jun 21)
- RE: Privileged mode access in a Pix Sonya Gilly (Jun 19)
- Re: Privileged mode access in a Pix Yang Lee (Jun 19)