CCNP BCMSN Exam Certification Guide (3rd Edition)
|
5-1. Managing Generic Users
By default, administrative users can authenticate with a firewall by using only a password. After they are authenticated, these users are known by the generic username enable_1. The firewall prompts you for the password in Telnet and SSH sessions, but not in console sessions. On the console, a user is immediately placed at the unprivileged level. With SSH sessions, users are prompted for a username and password. You can use the username pix as the generic username. The following sections present the configuration steps needed to authenticate administrative users based only on a password or on a username and password pair, and to authenticate end users initiating traffic through the firewall. Authenticating and Authorizing Generic Users
Generic user authentication is performed using only passwords. Users are authorized to perform certain actions based on the privilege level that they are permitted to use. Passwords can be defined for the two default privilege levels 0 and 15, as well as other arbitrary levels, using the following configuration steps:
TIP Administrative users can gain access to a specific privilege level by using the enable level command, where level is 0 to 15 (the default is 15).
Accounting of Generic Users
When a firewall is configured to authenticate administrative users with only a password, you can perform user accounting only through the logging function. You should make sure the following Syslog message IDs are enabled to use them as an audit trail of user activity. The default severity levels are shown in parentheses:
It might seem odd that users connecting through the firewall console are not logged with a 611101 authentication message. This is because the console remains logged in to the generic privilege level 1 user at all times. For example, the following output shows the Syslog audit trail for a user who moved into privilege level 15 (enable mode) and made a configuration change. Later, you might need to trace back and see which user made a specific change to the firewall. single_vf : %PIX-7-111009: User 'enable_1' executed cmd: show clock single_vf : %PIX-5-502103: User priv level changed: Uname: enable_15 From: 1 To: 15 single_vf : %PIX-5-111008: User 'enable_1' executed the 'enable' command. single_vf : %PIX-5-111008: User 'enable_15' executed the 'configure terminal' command. single_vf : %PIX-5-111008: User 'enable_15' executed the 'access-list acl_outside permit ip any any' command. single_vf : %PIX-5-611103: User logged out: Uname: enable_1
TIP Although the default generic user authentication is flexible and convenient, it offers little security benefit. For example, users log in by entering the level 1 password only. This means that every user must know and use the same password; there will never be an audit trail showing exactly who logged in. All level 1 users are simply shown as enable_1. The level 15 enable access is similarusers must enter one enable password that is common to all administrators. Those users are simply shown as enable_15. Again, no accurate audit trail shows what user made what configuration change to the firewall. Best practice dictates authenticating users with usernames that uniquely identify them. Each user also has a unique password and can be assigned to a specific privilege level if needed. This can be done in a local (internal) user database or on an external user database server. |
|