รู้เขารู้เรา รบร้อยครั้งชนะร้อยครา แต่ถ้าไม่รู้จักการแพ้ให้เป็น ก็จะไม่รู้จักคำว่าชนะ
Group Blog
 
 
กรกฏาคม 2555
 
1234567
891011121314
15161718192021
22232425262728
293031 
 
26 กรกฏาคม 2555
 
All Blogs
 

ASA Hardening

When you enable command authorization, then only you have the option of manually assigning privilege levels to individual commands or groups of commands.

---

To configure privilege access levels on cisco asa commands there are 4 steps involved in this  as follows:


1. Enable command authorization ( LOCAL in this case means , keep the command authorization configuration on the firewall ) :

aaa authorization command LOCAL

2. You can define commands you want to use on a certain level, for example these commands will enable a user in privilege level 5 to view and clear crypto tunnels

privilege show level 5 command crypto
privilege clear level 5 command crypto

3. Create a user and assign the privilege level to her/him :

username userName password userPass privilege 5

4. Create an enable password for the new privilege level :

enable password enablePass level 5

Now when the user logs in she/he can type :

enable 5

Enter the password from step for and they will be able to run the above crypto commands.

---
To add a user to the security appliance database, enter the username command in global configuration mode. To remove a user, use the no version of this command with the username you want to remove. To remove all usernames, use the no version of this command without appending a username.

username name {nopassword | password password [mschap | encrypted | nt-encrypted]} [privilege priv_level]

This privilege level is used with command authorization.

no username name

----------

In general you can use this version of username command as well for simple config:

username password privilege


e.i.  (lever 15 allows full EXEC mode access - as well as all ASDM features)


username sachingarg password HC!@%$#@! privilege 15


The default privilege level is 2.


Please remember as I have said above that access levels (1-15) aren't relevant much unless you authorize command authorization:


aaa authorization command LOCAL

---

Viewing Command Privilege Levels


The following commands let you view privilege levels for commands.

•To show all commands, enter the following command:

hostname(config)# show running-config all privilege all


•To show commands for a specific level, enter the following command:

hostname(config)# show running-config privilege level level


The level is an integer between 0 and 15.

•To show the level of a specific command, enter the following command:

hostname(config)# show running-config privilege command command


For example, for the show running-config all privilege all command, the system displays the current assignment of each CLI command to a privilege level. The following is sample output from the command.

hostname(config)# show running-config all privilege all
privilege show level 15 command aaa
privilege clear level 15 command aaa
privilege configure level 15 command aaa
privilege show level 15 command aaa-server
privilege clear level 15 command aaa-server
privilege configure level 15 command aaa-server
privilege show level 15 command access-group
privilege clear level 15 command access-group
privilege configure level 15 command access-group
privilege show level 15 command access-list
privilege clear level 15 command access-list
privilege configure level 15 command access-list
privilege show level 15 command activation-key
privilege configure level 15 command activation-key
....
The following command displays the command assignments for privilege level 10:

hostname(config)# show running-config privilege level 10
privilege show level 10 command aaa


The following command displays the command assignment for the access-list command:

hostname(config)# show running-config privilege command access-list
privilege show level 15 command access-list
privilege clear level 15 command access-list
privilege configure level 15 command access-list


ciscoasa5520# show run all username
ciscoasa5520# show run all privilege | grep pwd

-----

Kindly find some useful references in this regard as follows:
username  cli syntax
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/uz.html#wp1568449


Additional reference for aaa authorization command
http://www.cisco.com/en/US/docs/security/asa/asa80/command/reference/a1.html#wp1537175

For ASDM:
http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/devaccss.html

Managing System Access (best for beginners)
http://www.cisco.com/en/US/docs/security/asa/asa72/configuration/guide/mgaccess.html#wp1042040

You can configure privilege levels on the ASA through the AAA configuration.  Take a look at:
http://www.cisco.com/en/US/docs/security/asa/asa72/asdm52/user/guide/devaccss.html

For Master Collection of  Cisco ASA Config  Examples links kindly refer the following URL:

And seek more examples in the secion for Authentication, Authorization and Accounting (AAA) :

Please keep in touch for any further query in this regard. Please rate if you find the above mentioned information of any use to you.

HTH

Sachin Garg

Message was edited by: sachinga.hcl




 

Create Date : 26 กรกฎาคม 2555
0 comments
Last Update : 26 กรกฎาคม 2555 13:21:09 น.
Counter : 933 Pageviews.

ชื่อ :
Comment :
  *ใช้ code html ตกแต่งข้อความได้เฉพาะสมาชิก
 
รหัสส่งข้อความ
กรุณายืนยันรหัสส่งข้อความ


justiriuz
Location :
กรุงเทพฯ Thailand

[ดู Profile ทั้งหมด]

ให้ทิปเจ้าของ Blog [?]
ฝากข้อความหลังไมค์
Rss Feed
Smember
ผู้ติดตามบล็อก : 2 คน [?]




ตัวเราเองยังเข้าใจได้ไม่หมด นับประสาอะไรจะไปเข้าใจคนอื่น

ทำให้ดีที่สุด นอกนั้นช่างหัวมัน
Friends' blogs
[Add justiriuz's blog to your web]
Links
 

 Pantip.com | PantipMarket.com | Pantown.com | © 2004 BlogGang.com allrights reserved.