topic Re: FWSM on a 6500 - read only user addition in Network Security

FWSM on a 6500 - read only user addition

warren rautenbach — Mon, 11 Mar 2019 20:10:16 GMT

Hey Guys,

I have a customer that has a FWSM on a 6500, I want to create a read only account for them, i believe user privelage of lvl_3

When I log into the firewall it prompts me for a password straight away.

Is there a way that i can create a login that when it prompts me for a password, I can have a password setup to put into that prompt to get a certain level of access, instead of the standard lvl_15 access

any assistance will be greatly appreciated.

Thanks guys,

Waz

Re: FWSM on a 6500 - read only user addition

PAUL GILBERT ARIAS — Mon, 21 Mar 2011 23:02:07 GMT

not sure if I got right your question. If you want to create a user with privilege level 3 you can add the following:

username user3 privilege 3 password pass3

I hope this helps

Re: FWSM on a 6500 - read only user addition

warren rautenbach — Mon, 21 Mar 2011 23:08:14 GMT

hey Paul,

thanks for the reply mate

yea tried that, but i still have to use the standard password to get into the device, the new password i created didnt work....didnt get the oppertunity to use the u/n then p/w

Heres what i found out:

-> once i put in the initial password to get the the firewall> prompt i was able to type in "login"

-> then i was able to put in u/n and p/w

-> but even then the access was of level 15, i was able to change and save config

-> so i need to be able to configure a password that i can enter initially to get to the firewall> prompt then pump in an enable password as well

hmm how can i describe this a tad better...

* i telnet to the device

* Password: this prompt is provided (need to configure another password for this stage)

* firewall> if i get a new password that gets me to this stage ill need to configure another enable password

Is it possible to configure TWO enable passwords??

Re: FWSM on a 6500 - read only user addition

PAUL GILBERT ARIAS — Mon, 21 Mar 2011 23:16:19 GMT

you can create an enable secret for a specified level:

enable secret level

I haven't tested it today but that should allow you to access only for your desidere level

Re: FWSM on a 6500 - read only user addition

PAUL GILBERT ARIAS — Mon, 21 Mar 2011 23:19:18 GMT

sorry, I was telling you the commands for IOS not for the FW, give me a second to test this out.

Re: FWSM on a 6500 - read only user addition

Shrikant Sundaresh — Mon, 21 Mar 2011 23:21:17 GMT

I think just creating a username and password for privilege 3 is not enough.

You would also need to define what commands are allowed in privilege 3.

To confirm that the privilege level is working, you can run "show curpriv" command.

If it shows that the privilege is 3, means that its working correctly. Now you just need to map commands to the privilege level.By default all commands are either privilege 0 or 15.

This is an ASA configuration guide for mapping commands to privilege levels. I think it should be the same on FWSM as well.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_management.html#wp1145888

Re: FWSM on a 6500 - read only user addition

warren rautenbach — Mon, 21 Mar 2011 23:21:17 GMT

thanks heaps Paul, really appreciate your help.

Re: FWSM on a 6500 - read only user addition

PAUL GILBERT ARIAS — Mon, 21 Mar 2011 23:26:34 GMT

you are correct, the user can authenticate on any privilege level and still be able to change the config.

Here is how you can create a user and assign a specific level:

username test password test privilege 3

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL

aaa authentication enable console LOCAL

With those commands I get authenticated on the same priv level when doing SSH and when entering the enable password.

Here are the logs:

%ASA-6-113012: AAA user authentication Successful : local database : user = test

%ASA-6-113008: AAA transaction status ACCEPT : user = test

%ASA-6-611101: User authentication succeeded: Uname: test

%ASA-6-605005: Login permitted from 172.16.130.101/58750 to inside:172.16.129.210/ssh for user "test"

%ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = test

%ASA-6-611102: User authentication failed: Uname: test

%ASA-6-113012: AAA user authentication Successful : local database : user = test

%ASA-6-113008: AAA transaction status ACCEPT : user = test

%ASA-6-611101: User authentication succeeded: Uname: test

%ASA-5-502103: User priv level changed: Uname: test From: 1 To: 3

%ASA-5-111008: User 'test' executed the 'enable' command.

%ASA-7-111009: User 'test' executed cmd: show uauth

You can still make changes on the config so you will need to change the priv level for some commands so that they can be executed by that priv level.

Re: FWSM on a 6500 - read only user addition

warren rautenbach — Mon, 21 Mar 2011 23:29:15 GMT

sick, thanks Paul.

ill try that out right now.

ill let you know how it goes.

thanks again mate

Re: FWSM on a 6500 - read only user addition

lcaruso — Tue, 22 Mar 2011 00:45:05 GMT

I know you are on the FWSM on a 6500. With an ASA using ASDM, you can have ASDM provide all of those privileged commands for you under Configuration>Device Management>Users/AAA->AAA Access>Authorization>Set ASDM Defined User Roles.

The commands should be the same. Here is what it generates which amounts to read-only access to the ASA. Create the user as level 5 then:

privilege cmd level 3 mode exec command perfmon

privilege cmd level 3 mode exec command ping

privilege cmd level 3 mode exec command who

privilege cmd level 3 mode exec command logging

privilege cmd level 3 mode exec command failover

privilege cmd level 3 mode exec command packet-tracer

privilege show level 5 mode exec command import

privilege show level 5 mode exec command running-config

privilege show level 3 mode exec command reload

privilege show level 3 mode exec command mode

privilege show level 3 mode exec command firewall

privilege show level 3 mode exec command asp

privilege show level 3 mode exec command cpu

privilege show level 3 mode exec command interface

privilege show level 3 mode exec command clock

privilege show level 3 mode exec command dns-hosts

privilege show level 3 mode exec command access-list

privilege show level 3 mode exec command logging

privilege show level 3 mode exec command vlan

privilege show level 3 mode exec command ip

privilege show level 3 mode exec command ipv6

privilege show level 3 mode exec command failover

privilege show level 3 mode exec command asdm

privilege show level 3 mode exec command arp

privilege show level 3 mode exec command route

privilege show level 3 mode exec command ospf

privilege show level 3 mode exec command aaa-server

privilege show level 3 mode exec command aaa

privilege show level 3 mode exec command eigrp

privilege show level 3 mode exec command crypto

privilege show level 3 mode exec command ssh

privilege show level 3 mode exec command vpn-sessiondb

privilege show level 3 mode exec command vpnclient

privilege show level 3 mode exec command vpn

privilege show level 3 mode exec command dhcpd

privilege show level 3 mode exec command blocks

privilege show level 3 mode exec command wccp

privilege show level 3 mode exec command dynamic-filter

privilege show level 3 mode exec command webvpn

privilege show level 3 mode exec command module

privilege show level 3 mode exec command uauth

privilege show level 3 mode exec command compression

privilege show level 3 mode configure command interface

privilege show level 3 mode configure command clock

privilege show level 3 mode configure command access-list

privilege show level 3 mode configure command logging

privilege show level 3 mode configure command ip

privilege show level 3 mode configure command failover

privilege show level 5 mode configure command asdm

privilege show level 3 mode configure command arp

privilege show level 3 mode configure command route

privilege show level 3 mode configure command aaa-server

privilege show level 3 mode configure command aaa

privilege show level 3 mode configure command crypto

privilege show level 3 mode configure command ssh

privilege show level 3 mode configure command dhcpd

privilege show level 5 mode configure command privilege

privilege clear level 3 mode exec command dns-hosts

privilege clear level 3 mode exec command logging

privilege clear level 3 mode exec command arp

privilege clear level 3 mode exec command aaa-server

privilege clear level 3 mode exec command crypto

privilege clear level 3 mode exec command dynamic-filter

privilege cmd level 3 mode configure command failover

privilege clear level 3 mode configure command logging

privilege clear level 3 mode configure command arp

privilege clear level 3 mode configure command crypto

privilege clear level 3 mode configure command aaa-server