Firewall Wizards mailing list archives

RE: Privileged mode access in a Pix


From: "Sonya Gilly" <sgilly () servicom2000 com>
Date: Wed, 20 Jun 2001 09:23:18 +0200

The problem I have found is that Pixes neither support different privilege
levels nor authorization for commands. That configuration is OK for routers
or switches (with IOS), but Pixes don't support the same commands as those
devices with IOS. Then, I can authorize in Tacacs the commands introduced by
users in all my network except in Pixes.

Please, tell us if you find something when you receive that Pix.

Thank you very much for your help.
Sonya


-----Mensaje original-----
De: Yang Lee [mailto:ylee () net50 com]
Enviado el: martes, 19 de junio de 2001 21:26
Para: sgilly () servicom2000 com
CC: ylee () net50 com; firewall-wizards () nfr com
Asunto: RE: [fw-wiz] Privileged mode access in a Pix


Cisco provided a commercial tacacs+ server CiscoSecure Access Control
Server. Also you can download a stripped-down tacacs+ daemon. I'll prefer
the former simply you can get better support.

Anyway, something similiar as the following should work:

In Pix:
        ! Authorization
        aaa authorization exec default local group tacacs+
        aaa authorization commands 1 default local group tacacs+
        ! valid only ACS offline
        aaa authorization commands 15 default local group tacacs+ if-
authenticated

-----------------------------------------------------------------
In Tacacs+ server:
user  = test {
        profile_id = 113
        set server current-failed-logins = 0
        profile_cycle = 104
        member = voiceng
        password = clear "********"
        service=exec {
                set priv-lvl=15
        }
        service=shell {
                default cmd=permit
                allow "^192\.168\.110\.85$" ".*" ".*"
                refuse ".*" ".*" ".*"
        }
 }
-------------------------------------------------------------

The code will work for IOS 12.0. I don't have a PIX in hand to test it out.
Probably I'll get one later next week to try it out. May be you can publish
your test result by then. Good luck.



We are using TAC_PLUS from Cisco and we have defined different user
profiles. The problem is that I can't configure the privileged level 15
and access directly to the enable mode.

All this is because there are users that can't know the enable
password. In routers, they access with privileged level 15 directly to
the privileged mode, and they only can type the commands specified in
the TACACS. But in the PIX, they only have access to the unprivileged
mode, so they can't do anything without the enable password.

Do you know if it is possible with a Pix?

Thanks in advance,
Sonya

-----Mensaje original-----
De: Yang Lee [mailto:ylee () net50 com]
Enviado el: martes, 19 de junio de 2001 3:49
Para: sgilly () servicom2000 com
CC: firewall-wizards () nfr com
Asunto: Re: [fw-wiz] Privileged mode access in a Pix


Modify the account user profile in tacacs+ server. What kind of tacacs+
server you are using by the way?


I'm trying to configure authorization in a Pix. I have the following
commands in a Cisco router, but I haven't found the equivalence in Pix
configuration:

aaa authorization exec default tacacs+ if-authenticated
aaa authorization commands 15 default tacacs+ if-authenticated

I would like to access the Pix directly in privileged mode through
SSH, and limiting the enabled commands for different users in the
TACACS+ server.

Do you know if this is possible in a Pix?   (The firewall version is
5.3.1)

Thanks in advance,
Sonya

_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards



_______________________________________________
firewall-wizards mailing list
firewall-wizards () nfr com
http://www.nfr.com/mailman/listinfo/firewall-wizards


Current thread: