Firewall Privilege Levels

Use the configuration mode privilege command to set user-defined privilege levels for specified PIX Firewall commands. This command is modeled after the Cisco IOS privilege command feature. The structure of this command makes it easy to set different privilege levels for related configuration, show, and clear commands.

When both commands and users have privilege levels set, the two can be compared to determine if the user can execute a specific command. If the user’s privilege level is lower than the command’s privilege level, the user is prevented from using the command. Use the no form of the command to remove the privilege declaration. The syntax is

Pix(config)# privilege [show | clear | configure] level level [mode {enable | configure}] command command Pix(config)# no privilege [show | clear | configure] level level [mode {enable | configure}] command command

show	Sets the privilege level for the specified show command.
clear	Sets the privilege level for the specified clear command.
configure	Sets the privilege level for the specified configure command.
level level	Privilege level (0 to 15). The lower the numbers, the lower the privilege.
enable	For commands in both Enable and Configuration modes, indicates the enable mode command.
configure	For commands in both Enable and Configuration modes, indicates the configure mode command.
command command	The command to allow. Use the no command form to disallow.

Any aaa authentication and aaa authorization commands must be updated to include any new privilege levels before they can be used with the AAA server configuration.

Use the show curpriv command to display the current privilege level for a user and show privilege [all | command command | level level] to display the privileges for a command or set of commands.

The following output shows creating a user admin7 assigned to privilege level 7, and then a series of show commands available to privilege level 7.

Pix(config)# username admin7 password cisCo7 privilege 7
Pix(config)# show username 
username admin7 passowrd zs7H.SH1jCsgkxKA encrypted privelege 7
Pix (config)# privilege show level 7 command ip
Pix (config)# privilege show level 7 command interface
Pix (config)# privilege show level 7 command nat
Pix (config)# privilege show level 7 command xlate
Pix (config)# privilege show level 7 command global

The following output shows the results of logging in as admin7, the show curpriv command showing the privilege level, and an attempt to run two commands not defined for privilege level 7. P_UNPR indicates user (unprivileged) level, P_PRIV indicates that the enable command has been issued.

Pix# exit
Logoff

Username: admin7
Password: ******
Type help or '?' for a list of available commands.
Pix> show curpriv
Username : admin7
Current privilege level : 1
Current Mode/s : P_UNPR
Pix> en
Password: ******
Pix# show curpriv
Username : admin7
Current privilege level : 7
Current Mode/s : P_PRIV
Pix# show username
Command authorization failed
Pix# reload
Command authorization failed
Pix#

Configuring Cisco Secure ACS for Windows

Understanding the process of configuring Cisco Secure ACS for Windows is an exam objective, and this topic was covered in Chapters 4 and 8. Review that material, and, if possible, get a little hands-on experience configuring an ACS server.