Section 5-1. Managing Generic Users | CCNP BCMSN Exam Certification Guide (3rd Edition)

5-1. Managing Generic Users

By default, administrative users can authenticate with a firewall by using only a password. After they are authenticated, these users are known by the generic username enable_1.

The firewall prompts you for the password in Telnet and SSH sessions, but not in console sessions. On the console, a user is immediately placed at the unprivileged level.

With SSH sessions, users are prompted for a username and password. You can use the username pix as the generic username.

The following sections present the configuration steps needed to authenticate administrative users based only on a password or on a username and password pair, and to authenticate end users initiating traffic through the firewall.

Authenticating and Authorizing Generic Users

Generic user authentication is performed using only passwords. Users are authorized to perform certain actions based on the privilege level that they are permitted to use. Passwords can be defined for the two default privilege levels 0 and 15, as well as other arbitrary levels, using the following configuration steps:

Set the unprivileged mode password:

FWSM 2.x	`Firewall(config)# {password` \| `passwd}` `password` `[encrypted]`
PIX 6.x	`Firewall(config)# {password` \| `passwd}` `password` `[encrypted]`
PIX 7.x	`Firewall(config)#` `passwd` `password` `[encrypted]`

The generic user at privilege level 0 can be authenticated by entering the password string password. After the command is entered, the password string is encrypted whenever the configuration is displayed. This is denoted by the encrypted keyword.

You can also transfer this command to another firewall by copying and pasting. As long as the encrypted keyword is retained, the new firewall can use the same encrypted password.

TIP

You can use the following commands to reset the level 0 password to the default value cisco:

FWSM 2.x	`Firewall(config)#` `clear` `{password` \| `passwd}`
PIX 6.x	`Firewall(config)#` `clear` `{password` \| `passwd}`
PIX 7.x	`Firewall(config)#` `clear configure passwd`

Set a privileged-mode password:

FWSM 2.x	`Firewall(config)#` `enable password` `[pw] [level` `priv_level] [encrypted]`
PIX 6.x	`Firewall(config)#` `enable password` `[pw] [level` `priv_level] [encrypted]`
PIX 7.x	`Firewall(config)#` `enable password` `[pw] [level` `priv_level] [encrypted]`

The password for privilege level priv_level is set to the string pw. If the level keyword is omitted, the password for enable mode or privilege level 15 is assumed.

You can use this command to define a new unique privilege level to support a subset of administrative users. Specify the priv_level as a level between 0 and 15.

If you need to reset the privilege level password to its default value (no password), use the enable password configuration command with no pw string given.

TIP

Administrative users can gain access to a specific privilege level by using the enable level command, where level is 0 to 15 (the default is 15).

Accounting of Generic Users

When a firewall is configured to authenticate administrative users with only a password, you can perform user accounting only through the logging function. You should make sure the following Syslog message IDs are enabled to use them as an audit trail of user activity. The default severity levels are shown in parentheses:

611101 (6) Successful user authentication
611102 (6) Failed user authentication
111008 (5) User executed the command text
111009 (6) User executed the command show text
611103 (5) User logged out
502103 (5) User changed privilege levels

It might seem odd that users connecting through the firewall console are not logged with a 611101 authentication message. This is because the console remains logged in to the generic privilege level 1 user at all times.

For example, the following output shows the Syslog audit trail for a user who moved into privilege level 15 (enable mode) and made a configuration change. Later, you might need to trace back and see which user made a specific change to the firewall.

 single_vf : %PIX-7-111009: User 'enable_1' executed cmd: show clock single_vf : %PIX-5-502103: User priv level changed: Uname: enable_15 From: 1 To:   15 single_vf : %PIX-5-111008: User 'enable_1' executed the 'enable' command. single_vf : %PIX-5-111008: User 'enable_15' executed the 'configure terminal'   command. single_vf : %PIX-5-111008: User 'enable_15' executed the 'access-list acl_outside   permit ip any any' command. single_vf : %PIX-5-611103: User logged out: Uname: enable_1

TIP

Although the default generic user authentication is flexible and convenient, it offers little security benefit. For example, users log in by entering the level 1 password only. This means that every user must know and use the same password; there will never be an audit trail showing exactly who logged in. All level 1 users are simply shown as enable_1.

The level 15 enable access is similarusers must enter one enable password that is common to all administrators. Those users are simply shown as enable_15. Again, no accurate audit trail shows what user made what configuration change to the firewall.

Best practice dictates authenticating users with usernames that uniquely identify them. Each user also has a unique password and can be assigned to a specific privilege level if needed. This can be done in a local (internal) user database or on an external user database server.