topic Re: Using AAA for PDM Access in Network Access Control

Using AAA for PDM Access

mnlatif — Sun, 10 Mar 2019 14:20:59 GMT

Hi,

I have AAA authentication enabled for PDM connections on a 515E Firewall. However i am able to connect using a username (with privilege level 1) to PDM and can make ANY Changes\Modifcations and SAVE them to Flash.

However with the same user "telnet" to PIX doesn't get any privilege commands as desired.

With reference to the below config, i can login with username "yyyy" to PDM and have FULL Access. Why ?

Configuration is

username zzzzz password xxxxx encrypted privilege 15

username yyyyy password xxxxx encrypted privilege 1

show aaa

aaa authentication telnet console LOCAL

aaa authentication ssh console LOCAL

aaa authentication http console LOCAL

aaa authentication serial console LOCAL

aaa authentication enable console LOCAL

Re: Using AAA for PDM Access

gfullage — Thu, 12 Jun 2003 01:19:20 GMT

--begin ciscomoderator note-- The following post has been edited to remove potentially confidential information. Please refrain from posting confidential information on the site to reduce security risks to your network. -- end ciscomoderator note --

PDM does default to giving users full access, don't ask me why. To restrict certain users to only being able to look at the config, assign those PDM users to a specific privilege level, then move certain commands down to that level and enable command authorization.

The following works in my PIX:

username --moderator edit-- password --moderator edit-- encrypted privilege 9

privilege show level 9 command interface

privilege show level 9 command running-config

privilege show level 9 command aaa

privilege show level 9 command privilege

privilege show level 9 command pdm

privilege show level 9 command blocks

aaa authentication http console LOCAL

aaa authorization command LOCAL

The commands listed are the ones PDM runs on your PIX when it first starts up, you have to give that user privilege to run those commands at their privilege level, that way PDM will start up fine. Whenever they make a change and try and apply it though, since that is a level 15 function they'll get an error. If they Telnet/SSh directly into the PIX, they can still type "en" to get to level 15 and do whatever they like from there, so it shouldn't make any difference that way.

Have a read of http://www.cisco.com/warp/public/110/pix_command.shtml for more info on the command authorization stuff if you like.

Re: Using AAA for PDM Access

mhoda — Thu, 12 Jun 2003 02:49:16 GMT

Hi,

"aaa authorization command LOCAL" is required to enable the authorization for PDM. For telnet or other access, unlike PDM, you are forced to enter the enable password, which in your case the same password as your user password. So, user's enable access (i.e., what commands users are allowed to execute) is limited to the user priv level defined for your user, in your case thats 1. But you don't have that option (to enter the enable password) when use PDM. Thats why "aaa authorization command" is required.

I hope its clear ! Thanks,

Mynul