Sensor User Accounts

[ LiB ]  

Sensor User Accounts

Users access the Cisco IDS 4.0 sensor by using user accounts that exist locally on the sensor. These accounts have privilege levels called roles assigned to them to allow minor control of what commands the user can and cannot access.

The Cisco IDS 4.0 supports the use of four different privilege levels (roles). Table 5.8 outlines the different privilege levels.

Table 5.8. Privilege Levels (Roles)

Privilege

Description

Administrator

Can manage the entire sensor and configure all parts of the device.

Operator

Can view all settings and data on the sensor but has only limited configuration ability.

Viewer

Can only view sensor information but has no configuration ability.

Service

A special account that has access to the OS shell and not the IDS CLI shell.


The service-level account gives the Technical Assistance Center (TAC) special access to the OS shell rather than the IDS CLI shell. You should only set this privilege level if the TAC requests it. Otherwise, it is best not to use it. By default, there is no service account configured, and only the administrator can create one. The sensor only allows one service-level account at a time. This account sets the Linux root user password to be the same as the service-level account, thus giving the account access to the OS. When the service-level account is removed, the root-level user is locked. Again, it is recommended that you do not make any modifications to the OS or configuration files without the assistance of Cisco TAC; otherwise , you might void your warranty.

graphics/alert_icon.gif

The default sensor administrator username is cisco with a password of cisco .


username Command

You use the username command to create sensor user accounts. The following displays the command syntax:


 [no] username  username  [password  password  ][privilege  privilege  ] 

Table 5.9 lists and describes username command options.

Table 5.9. username Command Options

Option

Description

no

Allows you to delete a user.

username

The name of the account that you want to create, between 1 and 32 characters long. The acceptable characters are alphanumeric , underscores (_), and dashes (-).

password

The password for the account.

privilege

The level of privilege for the account, such as administrator, operator, viewer , or service . If you omit this option, then viewer level is the default.


There are two different ways to create a user account with the username command. The following example shows the username command without the password option, which prompts you to enter a password and create the user with a privilege level of viewer :


 sensor#config terminal sensor(config)#username dan Enter Login Password: ***** Re-enter Login Password: ***** 

The next example creates a user with the password and privilege options:


 sensor#config terminal sensor(config)#username phil password 123456 privilege operator 

privilege Command

The privilege command allows the administrator to change the privilege level of a user account to a higher or lower level. The command syntax follows :


 privilege user  username  [administrator  operator  viewer] 

Table 5.10 lists and describes privilege command options.

Table 5.10. privilege Command Options

Option

Description

username

The name of the user for whom you want to change privilege levels.

administrator operator viewer

The different privilege levels for the account.


The following example changes the privilege level of dan to administrator :


 sensor(config)#privilege user dan administrator Warning: The privilege change does not apply to current CLI sessions. It will be applied to subsequent logins. sensor(config)# 

graphics/note_icon.gif

You can also use the username command to change the user privilege level. The following is the syntax:

sensor(config)#username dan privilege administrator


show users Command

The show users command displays the current user logged to the sensor. The show users all command displays all the users configured within the sensor. This second command is very helpful because you cannot display the user accounts by showing the current configuration, as you can in most IOS-based systems. The following is the show users command syntax:


 show users [all] 

Table 5.11 lists and describes the show users command option.

Table 5.11. show users Command Option

Option

Description

all

Lists all user accounts configured on the sensor, regardless of login status. However, this option is not available for users with viewer privileged access.


Listing 5.1 displays the output of the show users command without the all option.

Listing 5.1. Example of show users Command
 sensor#show users CLI ID User Privilege 1969 dan viewer *1970 curuser administrator 1998 aranza operator 

Listing 5.2 displays the output of the show users all command that displays all currently logged-in users and all users within the system. Notice that the jack user has parentheses around his name. They indicate that he is locked out of the system. The asterisk next to 1970 indicates the current user logged in.

Listing 5.2. Example of show users all Command
 sensor#show users all CLI ID User Privilege 1969 dan viewer *1970 curuser administrator 1998 aranza operator (jack) viewer phil operator 

graphics/alert_icon.gif

In preparing for the exam, make sure that you can create users, modify user privilege levels, display all configured users, and delete users by using the following commands: username, show users all, privilege , and no username .


Commands and the Privilege Levels Required

Not all commands can be executed by all privilege levels. Table 5.12 displays the three commands and which privilege levels can execute each one.

Table 5.12. Privilege Level Required

Command

Privilege Level

username

Administrator

privilege

Administrator

show users [all]

Administrator

Operator

Viewer


graphics/note_icon.gif

The command show users all is not allowed by a user with the privilege level of viewer. You must be an operator or administrator to use the all option.


User Account Lab

This section allows you to practice the commands you just learned. Either write all the commands on paper or use a Cisco IDS 4.0 sensor. The lab displays a list of requirements that you need to fulfill. Listing 5.3 displays one possible solution that you can use to check your results.

Follow these requirements:

  1. Create a user named jim with the password 123456 and a privilege level of operator .

  2. Show all users configured on the sensor.

  3. Change jim 's privilege level to viewer .

  4. Show all users configured on the sensor.

  5. Delete jim 's account.

  6. Show all users configured on the sensor.

Listing 5.3. Lab Solution
 sensor#config terminal sensor(config)#username jim password 123456 privilege operator sensor(config)#exit sensor#show users all CLI ID User Privilege *1970 curuser administrator jim operator sensor#config terminal sensor(config)#privilege user jim viewer Warning: The privilege change does not apply to current CLI sessions. It will be applied to subsequent logins. sensor(config)#exit sensor#show users all CLI ID User Privilege *1970 curuser administrator jim viewer sensor#config terminal sensor(config)#no username jim sensor(config)#exit sensor#show users all CLI ID User Privilege *1970 curuser administrator 

[ LiB ]  


CSIDS Exam Cram 2 (Exam 642-531)
CSIDS Exam Cram 2 (Exam 642-531)
ISBN: N/A
EAN: N/A
Year: 2004
Pages: 213

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net