Buy or Renew
Buy or Renew
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
2346
Views
0
Helpful
9
Replies

FWSM on a 6500 - read only user addition

warren rautenbach
Level 1
Level 1

‎03-21-2011 03:18 PM - edited ‎03-11-2019 01:10 PM

Hey Guys,

I have a customer that has a FWSM on a 6500, I want to create a read only account for them, i believe user privelage of lvl_3

When I log into the firewall it prompts me for a password straight away.

Is there a way that i can create a login that when it prompts me for a password, I can have a password setup to put into that prompt to get a certain level of access, instead of the standard lvl_15 access

any assistance will be greatly appreciated.

Thanks guys,

Waz

Labels:
0 Helpful
9 Replies 9

PAUL GILBERT ARIAS
Level 5
Level 5

‎03-21-2011 04:02 PM

not sure if I got right your question. If you want to create a user with privilege level 3 you can add the following:

username user3 privilege 3 password pass3

I hope this helps

0 Helpful

warren rautenbach
Level 1
Level 1
In response to PAUL GILBERT ARIAS

‎03-21-2011 04:08 PM

hey Paul,

thanks for the reply mate

yea tried that, but i still have to use the standard password to get into the device, the new password i created didnt work....didnt get the oppertunity to use the u/n then p/w

Heres what i found out:

-> once i put in the initial password to get the the firewall> prompt i was able to type in "login"

-> then i was able to put in u/n and p/w

-> but even then the access was of level 15, i was able to change and save config

-> so i need to be able to configure a password that i can enter initially to get to the firewall> prompt then pump in an enable password as well

hmm how can i describe this a tad better...

* i telnet to the device

* Password:        this prompt is provided (need to configure another password for this stage)

* firewall>           if i get a new password that gets me to this stage ill need to configure another enable password

Is it possible to configure TWO enable passwords??

0 Helpful

PAUL GILBERT ARIAS
Level 5
Level 5
In response to warren rautenbach

‎03-21-2011 04:16 PM

you can create an enable secret for a specified level:

enable secret level

I haven't tested it today but that should allow you to access only for your desidere level

0 Helpful

PAUL GILBERT ARIAS
Level 5
Level 5
In response to PAUL GILBERT ARIAS

‎03-21-2011 04:19 PM

sorry, I was telling you the commands for IOS not for the FW, give me a second to test this out.

0 Helpful

warren rautenbach
Level 1
Level 1
In response to PAUL GILBERT ARIAS

‎03-21-2011 04:21 PM

thanks heaps Paul, really appreciate your help.

0 Helpful

Shrikant Sundaresh
Cisco Employee
Cisco Employee
In response to warren rautenbach

‎03-21-2011 04:21 PM

I think just creating a username and password for privilege 3 is not enough.

You would also need to define what commands are allowed in privilege 3.

To confirm that the privilege level is working, you can run "show curpriv" command.

If it shows that the privilege is 3, means that its working correctly. Now you just need to map commands to the privilege level.By default all commands are either privilege  0 or 15.

This is an ASA configuration guide for mapping commands to privilege levels. I think it should be the same on FWSM as well.

http://www.cisco.com/en/US/docs/security/asa/asa84/configuration/guide/access_management.html#wp1145888

0 Helpful

PAUL GILBERT ARIAS
Level 5
Level 5
In response to Shrikant Sundaresh

‎03-21-2011 04:26 PM

you are correct, the user can authenticate on any privilege level and still be able to change the config.

Here is how you can create a user and assign a specific level:

username test password test privilege 3

aaa authentication enable console LOCAL

aaa authentication ssh console LOCAL 
aaa authentication enable console LOCAL
With those commands I get authenticated on the same priv level when doing SSH and when entering the enable password.
Here are the logs:

%ASA-6-113012: AAA user authentication Successful : local database : user = test

%ASA-6-113008: AAA transaction status ACCEPT : user = test

%ASA-6-611101: User authentication succeeded: Uname: test

%ASA-6-611101: User authentication succeeded: Uname: test

%ASA-6-605005: Login permitted from 172.16.130.101/58750 to inside:172.16.129.210/ssh for user "test"

%ASA-6-113015: AAA user authentication Rejected : reason = Invalid password : local database : user = test

%ASA-6-611102: User authentication failed: Uname: test

%ASA-6-113012: AAA user authentication Successful : local database : user = test

%ASA-6-113008: AAA transaction status ACCEPT : user = test

%ASA-6-611101: User authentication succeeded: Uname: test

%ASA-5-502103: User priv level changed: Uname: test From: 1 To: 3

%ASA-5-111008: User 'test' executed the 'enable' command.

%ASA-7-111009: User 'test' executed cmd: show uauth

You can still make changes on the config so you will need to change the priv level for some commands so that they can be executed by that priv level.

0 Helpful

warren rautenbach
Level 1
Level 1
In response to PAUL GILBERT ARIAS

‎03-21-2011 04:29 PM

sick, thanks Paul.

ill try that out right now.

ill let you know how it goes.

thanks again mate

0 Helpful

lcaruso
Level 6
Level 6
In response to warren rautenbach

‎03-21-2011 05:45 PM

I know you are on the FWSM on a 6500. With an ASA using ASDM, you can have ASDM provide all of those privileged commands for you under Configuration>Device Management>Users/AAA->AAA Access>Authorization>Set ASDM Defined User Roles.

The commands should be the same. Here is what it generates which amounts to read-only access to the ASA. Create the user as level 5 then:

privilege cmd level 3 mode exec command perfmon
privilege cmd level 3 mode exec command ping
privilege cmd level 3 mode exec command who
privilege cmd level 3 mode exec command logging
privilege cmd level 3 mode exec command failover
privilege cmd level 3 mode exec command packet-tracer
privilege show level 5 mode exec command import
privilege show level 5 mode exec command running-config
privilege show level 3 mode exec command reload
privilege show level 3 mode exec command mode
privilege show level 3 mode exec command firewall
privilege show level 3 mode exec command asp
privilege show level 3 mode exec command cpu
privilege show level 3 mode exec command interface
privilege show level 3 mode exec command clock
privilege show level 3 mode exec command dns-hosts
privilege show level 3 mode exec command access-list
privilege show level 3 mode exec command logging
privilege show level 3 mode exec command vlan
privilege show level 3 mode exec command ip
privilege show level 3 mode exec command ipv6
privilege show level 3 mode exec command failover
privilege show level 3 mode exec command asdm
privilege show level 3 mode exec command arp
privilege show level 3 mode exec command route
privilege show level 3 mode exec command ospf
privilege show level 3 mode exec command aaa-server
privilege show level 3 mode exec command aaa
privilege show level 3 mode exec command eigrp
privilege show level 3 mode exec command crypto
privilege show level 3 mode exec command ssh
privilege show level 3 mode exec command vpn-sessiondb
privilege show level 3 mode exec command vpnclient
privilege show level 3 mode exec command vpn
privilege show level 3 mode exec command dhcpd
privilege show level 3 mode exec command blocks
privilege show level 3 mode exec command wccp
privilege show level 3 mode exec command dynamic-filter
privilege show level 3 mode exec command webvpn
privilege show level 3 mode exec command module
privilege show level 3 mode exec command uauth
privilege show level 3 mode exec command compression
privilege show level 3 mode configure command interface
privilege show level 3 mode configure command clock
privilege show level 3 mode configure command access-list
privilege show level 3 mode configure command logging
privilege show level 3 mode configure command ip
privilege show level 3 mode configure command failover
privilege show level 5 mode configure command asdm
privilege show level 3 mode configure command arp
privilege show level 3 mode configure command route
privilege show level 3 mode configure command aaa-server
privilege show level 3 mode configure command aaa
privilege show level 3 mode configure command crypto
privilege show level 3 mode configure command ssh
privilege show level 3 mode configure command dhcpd
privilege show level 5 mode configure command privilege
privilege clear level 3 mode exec command dns-hosts
privilege clear level 3 mode exec command logging
privilege clear level 3 mode exec command arp
privilege clear level 3 mode exec command aaa-server
privilege clear level 3 mode exec command crypto
privilege clear level 3 mode exec command dynamic-filter
privilege cmd level 3 mode configure command failover
privilege clear level 3 mode configure command logging
privilege clear level 3 mode configure command arp
privilege clear level 3 mode configure command crypto
privilege clear level 3 mode configure command aaa-server
0 Helpful
Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card