[ LiB ] |
Users access the Cisco IDS 4.0 sensor by using user accounts that exist locally on the sensor. These accounts have privilege levels called roles assigned to them to allow minor control of what commands the user can and cannot access.
The Cisco IDS 4.0 supports the use of four different privilege levels (roles). Table 5.8 outlines the different privilege levels.
Privilege | Description |
---|---|
Administrator | Can manage the entire sensor and configure all parts of the device. |
Operator | Can view all settings and data on the sensor but has only limited configuration ability. |
Viewer | Can only view sensor information but has no configuration ability. |
Service | A special account that has access to the OS shell and not the IDS CLI shell. |
The service-level account gives the Technical Assistance Center (TAC) special access to the OS shell rather than the IDS CLI shell. You should only set this privilege level if the TAC requests it. Otherwise, it is best not to use it. By default, there is no service account configured, and only the administrator can create one. The sensor only allows one service-level account at a time. This account sets the Linux root user password to be the same as the service-level account, thus giving the account access to the OS. When the service-level account is removed, the root-level user is locked. Again, it is recommended that you do not make any modifications to the OS or configuration files without the assistance of Cisco TAC; otherwise , you might void your warranty.
The default sensor administrator username is cisco with a password of cisco . |
You use the username command to create sensor user accounts. The following displays the command syntax:
[no] username username [password password ][privilege privilege ]
Table 5.9 lists and describes username command options.
Option | Description |
---|---|
no | Allows you to delete a user. |
username | The name of the account that you want to create, between 1 and 32 characters long. The acceptable characters are alphanumeric , underscores (_), and dashes (-). |
password | The password for the account. |
privilege | The level of privilege for the account, such as administrator, operator, viewer , or service . If you omit this option, then viewer level is the default. |
There are two different ways to create a user account with the username command. The following example shows the username command without the password option, which prompts you to enter a password and create the user with a privilege level of viewer :
sensor#config terminal sensor(config)#username dan Enter Login Password: ***** Re-enter Login Password: *****
The next example creates a user with the password and privilege options:
sensor#config terminal sensor(config)#username phil password 123456 privilege operator
The privilege command allows the administrator to change the privilege level of a user account to a higher or lower level. The command syntax follows :
privilege user username [administrator operator viewer]
Table 5.10 lists and describes privilege command options.
Option | Description |
---|---|
username | The name of the user for whom you want to change privilege levels. |
administrator operator viewer | The different privilege levels for the account. |
The following example changes the privilege level of dan to administrator :
sensor(config)#privilege user dan administrator Warning: The privilege change does not apply to current CLI sessions. It will be applied to subsequent logins. sensor(config)#
You can also use the username command to change the user privilege level. The following is the syntax: sensor(config)#username dan privilege administrator |
The show users command displays the current user logged to the sensor. The show users all command displays all the users configured within the sensor. This second command is very helpful because you cannot display the user accounts by showing the current configuration, as you can in most IOS-based systems. The following is the show users command syntax:
show users [all]
Table 5.11 lists and describes the show users command option.
Option | Description |
---|---|
all | Lists all user accounts configured on the sensor, regardless of login status. However, this option is not available for users with viewer privileged access. |
Listing 5.1 displays the output of the show users command without the all option.
sensor#show users CLI ID User Privilege 1969 dan viewer *1970 curuser administrator 1998 aranza operator
Listing 5.2 displays the output of the show users all command that displays all currently logged-in users and all users within the system. Notice that the jack user has parentheses around his name. They indicate that he is locked out of the system. The asterisk next to 1970 indicates the current user logged in.
sensor#show users all CLI ID User Privilege 1969 dan viewer *1970 curuser administrator 1998 aranza operator (jack) viewer phil operator
In preparing for the exam, make sure that you can create users, modify user privilege levels, display all configured users, and delete users by using the following commands: username, show users all, privilege , and no username . |
Not all commands can be executed by all privilege levels. Table 5.12 displays the three commands and which privilege levels can execute each one.
Command | Privilege Level |
---|---|
username | Administrator |
privilege | Administrator |
show users [all] | Administrator Operator Viewer |
The command show users all is not allowed by a user with the privilege level of viewer. You must be an operator or administrator to use the all option. |
This section allows you to practice the commands you just learned. Either write all the commands on paper or use a Cisco IDS 4.0 sensor. The lab displays a list of requirements that you need to fulfill. Listing 5.3 displays one possible solution that you can use to check your results.
Follow these requirements:
sensor#config terminal sensor(config)#username jim password 123456 privilege operator sensor(config)#exit sensor#show users all CLI ID User Privilege *1970 curuser administrator jim operator sensor#config terminal sensor(config)#privilege user jim viewer Warning: The privilege change does not apply to current CLI sessions. It will be applied to subsequent logins. sensor(config)#exit sensor#show users all CLI ID User Privilege *1970 curuser administrator jim viewer sensor#config terminal sensor(config)#no username jim sensor(config)#exit sensor#show users all CLI ID User Privilege *1970 curuser administrator
[ LiB ] |