Re: [fw-wiz] ASA 8.0(4) -- Privilege Level to Create Users

From: "Christopher J. Wargaski" <wargo1@xxxxxxxxx>
Date: Fri, 16 Jan 2009 10:18:44 -0600

Hey Todd--

Yes, there is. However, by giving the permission to someone to add/modify
users, they can modify their own privilege level. So this is sort of a
security through obscurity thing.

Try this:

privilege cmd level 5 mode exec command configure
privilege show level 5 mode configure command username
privilege cmd level 5 mode configure command configure
privilege cmd level 5 mode configure command username
privilege clear level 5 mode configure command username
privilege clear level 5 mode configure command configure

username jradmin password my-pass privilege 5

On Fri, Jan 16, 2009 at 8:35 AM, Todd Simons <tsimons@xxxxxxxxxxxxxxx>wrote:

Hello All

We have an ASA hosting connections for our Avaya VPN enabled IP phones. I
need to give access to a junior admin to create local user accounts on the
ASA. Is there a privilege level, or a custom level that I can build to
allow these commands to be entered by the jr admin without giving him access
to the whole ASA config:

username <username> password <password>

username <username> attributes

vpn-group-policy <GrpPolicyName>

service-type remote-access

Thanks,

~Todd

_______________________________________________
firewall-wizards mailing list
firewall-wizards@xxxxxxxxxxxxxxxxxxxxx
https://listserv.icsalabs.com/mailman/listinfo/firewall-wizards

Follow-Ups:
- Re: [fw-wiz] ASA 8.0(4) -- Privilege Level to Create Users
  - From: Todd Simons

References:
- [fw-wiz] ASA 8.0(4) -- Privilege Level to Create Users
  - From: Todd Simons

Prev by Date: Re: [fw-wiz] Cisco ASA firewall: SQLnet inspection: buffer limit
Next by Date: [fw-wiz] Interface Errors on a Cisco ASA 5520
Previous by thread: [fw-wiz] ASA 8.0(4) -- Privilege Level to Create Users
Next by thread: Re: [fw-wiz] ASA 8.0(4) -- Privilege Level to Create Users
Index(es):
- Date
- Thread

Relevant Pages

Vpn site to site + vpn cisco client access list problem.
... fixup protocol dns maximum-length 512 ... crypto map vpnmap 9 match address 80 ... username admin password Vs.JwYvvku50bpmp encrypted privilege 15 ... privilege show level 0 command version ...
(comp.dcom.sys.cisco)
Pix 506E Access problem
... I have to use the console; I can't SSH ... I'm just running command line so that's all I need. ... fixup protocol dns maximum-length 512 ... privilege show level 0 command version ...
(comp.dcom.sys.cisco)
PIX 501 config question
... Interface: 212.130.214.10 ... Result of firewall command: "write term" ... no fixup protocol dns ... encrypted privilege 3 ...
(comp.security.firewalls)
Re: [fw-wiz] ASA 8.0(4) -- Privilege Level to Create Users
... they can modify their own privilege level. ... privilege show level 5 mode configure command username ... I need to give access to a junior admin to create local user accounts on ...
(Firewall-Wizards)
Re: Processing Ideas Needed:
... a selection can be added to a page to submit this command ... I don't want to give the user CMKRNL to be able to ... possession of a separate rights identifier guarding the ability to ... this is to use rights identifiers to extend the concept of privilege ...
(comp.os.vms)