_SYS_BIC Privileges Configuration

Hi Guys,
I am trying to READ data from _SYS_BIC schema. But unfortunately, I have this kind of message when I check my authorizations ...
How could I configure my authorizations to READ data ?
Thank you in advance.
Best regards.

Hi Wenjun,
thank you. It is a bit strange because I have exactly followed step by step a training video of Riu Nogueira and I did the same things explained ...
Don't know, why I have these kind of message and how to solve it:
Rachid.

Similar Messages

OIM 9.1.0.2 provisioning privilege configuration?

Hi there,
I've set up an access policy to provision users of a certain employee type/role to an Oracle DB.
However, (a) when I create said user, no provisioning seems to occur.
(b) I'd like to adapt the provisioning so that it grants connect privilege and some other privileges to users of this type.
If I provision the user manually, they are created in my DB fine.
Any help given gratefully received.
Go well, Hugh
Edited by: 2hughg on 09-Feb-2011 05:52

Which group you have attached with Access Policy ?
Have you created membersip rule for that group ?
Access Policy always works with Group. Just givemembership to newly created user into Group which is attached with Access Policy and see what happens.

IOS - local user privileges

Hi Experts,
I have requirement to create multiple users with different level of permission. Requirement is user with low permission can only execute following commands and no other commands:
"show interface fastether1/3"
"show ip ospf neighbor"
"router ospf"
what is happening when i allow like "show interface", it will allow user all show commands.
when i allow router ospf with commands:
privilege exec level 10 configure terminal
privilege configure level 10 router ospf
these commands allow all protocols under router command.
Please help me configuring this local authorization. And i will appreciate if you share any comprehensive document specifically on my requirement.
Thanks in advance
Yasir

Anybody please answer my request..
Thanks

Privilege levels on switch

I am trying to lock down my switches for my junior network engineers and have run into a problem for my sites without Radius/Tacacs.
I would like to set a privilege level that only allows admins to configure interfaces, ip access list, and show commands.
With ACS I set the commands I allow per user, but with no ACS it seems I must enter lots of extra lines.
ie. (on a 3750 c3750-advipservicesk9-mz.122-25.SEE1.bin)
privilege configure level 5 interface
privilege exec level 5 configure
I would expect this to allow me as a level 5 user to go to config mode and then perform any interface command.
instead:
SwitchB-3750#sho priv
Current privilege level is 5
SwitchB-3750#config t
^
% Invalid input detected at '^' marker.
SwitchB-3750#config
Configuring from terminal, memory, or network [terminal]? t
Enter configuration commands, one per line. End with CNTL/Z.
SwitchB-3750(config)#interface fa1/0/1
SwitchB-3750(config-if)#?
Interface configuration commands:
default Set a command to its defaults
exit Exit from interface configuration mode
help Description of the interactive help system
no Negate a command or set its defaults
SwitchB-3750(config-if)#
If I then enter:
SwitchB-3750(config)#privilege interface level 5 i
I can then do anything with an "i"
SwitchB-3750(config-if)#?
Interface configuration commands:
default Set a command to its defaults
exit Exit from interface configuration mode
help Description of the interactive help system
ip Interface Internet Protocol config commands
no Negate a command or set its defaults
I want them to be able to do anything. Am I missing a critical part?
Thank you,
Brant Hale

Ok, just to make sure I am 100%
If I wanted to give a user the ability to
(config)#interface fa1/0/1
(config-if)#switchport mode access
privilege interface level 5 switchport mode access
privilege configure level 5 interface
privilege exec level 5 configure
If I want to give them all the options then I need to do something like this:
privilege interface level 5 a
privilege interface level 5 b
privilege interface level 5 c
privilege interface level 5 d
privilege interface level 5 e
privilege interface level 5 f
privilege interface level 5 g
Are there no wildcards? I want to be able to do the following-
privilege interface level 5 *
or
privilege interface all level 5
No chance?
Thanks for the reply.

Aironet 1600 privilege level for MAC Filtering

   Hi,
I want to permit from a user profile with the telnet CLI command to configure the new MAC address on the dot11 association mac-list 700
I have create the user 14 with the followed commands:
enable secret level 14 5 **************
enable secret 5 **************
privilege configure level 14 access-list
privilege exec level 14 write memory
privilege exec level 14 write
privilege exec level 14 configure terminal
privilege exec level 14 configure
privilege exec level 14 show dot11 associations client
privilege exec level 14 show dot11 associations
privilege exec level 14 show dot11
privilege exec level 14 show access-lists
privilege exec level 14 show
Access from login privilege 14
1602AP16#show privile
Current privilege level is 14
1602AP16#show access-l
Bridge address access list 700
    permit 100b.a965.7384   0000.0000.0000 (2 matches)
    permit 0026.c659.b182   0000.0000.0000
    permit 0019.d2c2.96c0   0000.0000.0000
OK
add the new MAC address
1602AP16(config)#access-list ?
<1-99>       IP standard access list
<100-199>    IP extended access list
<1100-1199> Extended 48-bit MAC address access list
<1300-1999> IP standard access list (expanded range)
<200-299>    Protocol type-code access list
<2000-2699> IP extended access list (expanded range)
<700-799>    48-bit MAC address access list
1602AP16(config)#access-list 700 permit 0026.c659.b182   0000.0000.0000
                                                               ^
% Invalid input detected at '^' marker.
I can open the user level 14 config and when I add the new MAC address I received the " Invalid input detected " message
What is wrong ?
Is it only permit at level 15 ?
IOS version :
Cisco IOS Software, C1600 Software (AP1G2-K9W7-M), Version 15.2(2)JB, RELEASE SOFTWARE (fc1)
Thank you to shared me yours comments !
Patrick

Hi Patric,
Can u try this :
privilege configure level 14 access-list
and all other with priv 13.
privilege exec level 13 write memory
privilege exec level 13 write
privilege exec level 13 configure terminal
privilege exec level 13 configure
privilege exec level 13 show dot11 associations client
privilege exec level 13 show dot11 associations
privilege exec level 13 show dot11
privilege exec level 13 show access-lists
privilege exec level 13 show
and then try to configure it.
If still fails then u must use priv 15 .
Regards

Custom privilege level for CSM commands

Is there a way to creat a custom privilege level to allow a user access to only CSM config commands while in config mode?? I'm trying to allow members of our server/web team to check on the status of the web servers and to take them out of service for maintenance....and not allow them access to change any other configs on the switch.
Thanks...Jeff

Here is an exampel for enable 5
enable secret level 5
privilege slb-lam-mode-real level 5 no inservice
privilege slb-lam-mode-real level 5 inservice
privilege slb-lam-mode-real level 5 inservice standby
privilege slb-lam-mode-csm-sfarm level 5 real
privilege slb-lam-mode-csm-sfarm level 5 real name
privilege slb-lam-mode-csm level 5 server
privilege configure level 5 module csm
privilege exec level 5 conf t
privilege exec level 5 exit

Privilege level - tuning the commands

This example allows users with level 10 privileges to configure an interface ip address...
privilege exec level 10 configure terminal
privilege configure level 10 interface
privilege interface level 10 ip address
My question is how to configure users in level 10 to ping ONLY ONE ip address..
eg
privilege exec level 10 ping 192.168.11.10
But it seems that I can ping anyway?
Router2#sh run | be privilege
privilege interface level 10 ip address
privilege interface level 10 ip
privilege configure level 10 interface
privilege configure level 10 hostname
privilege exec level 10 ping !!!!!!!!!!!!!!!!
privilege exec level 10 configure terminal
privilege exec level 10 configure
privilege exec level 10 no
When I telnet into Router2 with the level 10 password I automatically get to the privileged mode
and I have the following exec commands...
Router2>en 10
Password:
Router2#?
Exec commands:
<1-99> Session number to resume
access-enable Create a temporary Access-List entry
access-profile Apply user-profile to interface
clear Reset functions
configure Enter configuration mode
connect Open a terminal connection
disable Turn off privileged commands
disconnect Disconnect an existing network connection
enable Turn on privileged commands
exit Exit from the EXEC
help Description of the interactive help system
lock Lock the terminal
login Log in as a particular user
logout Exit from the EXEC
modemui Start a modem-like user interface
mrinfo Request neighbor and version information from a multicast
router
mstat Show statistics after multiple multicast traceroutes
mtrace Trace reverse multicast path from destination to source
name-connection Name an existing network connection
no Disable debugging functions
pad Open a X.29 PAD connection
ping Send echo messages
ppp Start IETF Point-to-Point Protocol (PPP)
resume Resume an active network connection
rlogin Open an rlogin connection
show Show running system information
slip Start Serial-line IP (SLIP)
systat Display information about terminal lines
tclquit Quit Tool Command Language shell
telnet Open a telnet connection
terminal Set terminal line parameters
tn3270 Open a tn3270 connection
traceroute Trace route to destination
tunnel Open a tunnel connection
udptn Open an udptn connection
where List active connections
x28 Become an X.28 PAD
x3 Set X.3 parameters on PAD
How can I select only the commands I really want from this list??
ie how can I allow only one specific ping command?
Thanks !

Privilege levels can be configured on basis of commands allowed to be executed on that privilege level. It is not possible to restrict the execution of commands which are allowed based on its parameters. So you cannot make it to allow a ping to only one specific IP address and block the ping to others. You can use an access list to block ping to other IP addresses, however the access list will be applicable to all the users at any privilege level.

Sub interface privilege level?

For the life of me, i cannot get my users to be able to create & edit subinterfaces using privilege levels
This is my current privilege setup
privilege ip-vrf level 7 rd
privilege vpdn-group level 7 description
privilege interface level 7 pvc
privilege interface level 7 tunnel mode
privilege interface level 7 tunnel destination
privilege interface level 7 tunnel source
privilege interface level 7 tunnel
privilege interface level 7 atm-dxi pvc
privilege interface level 7 atm-dxi
privilege interface level 7 atm pvc
privilege interface level 7 atm
privilege interface level 7 service-policy
privilege interface level 7 ip access-group
privilege interface level 7 ip address
privilege interface level 7 ip vrf forwarding
privilege interface level 7 ip vrf
privilege interface level 7 ip
privilege interface level 7 encapsulation
privilege interface level 7 description
privilege configure level 7 ip route
privilege configure level 7 ip local pool
privilege configure level 7 ip local
privilege configure level 7 interface
privilege configure level 7 policy-map
privilege configure level 7 ip vrf
privilege configure level 7 ip
privilege exec level 7 copy running-config startup-config
privilege exec level 7 copy running-config
privilege exec level 7 copy
privilege exec level 7 telnet
privilege exec level 7 write memory
privilege exec level 7 write
privilege exec level 7 traceroute
privilege exec level 1 ping atm interface
privilege exec level 1 ping atm
privilege exec level 1 ping
privilege exec level 7 configure terminal
privilege exec level 7 configure
privilege exec level 7 show policy-map
privilege exec level 1 show vpdn session
privilege exec level 1 show vpdn tunnel
privilege exec level 1 show vpdn
privilege exec level 1 show ip route
privilege exec level 1 show ip
privilege exec level 1 show users
privilege exec level 1 show version
privilege exec level 7 show startup-config
privilege exec level 1 show running-config
privilege exec level 1 show
privilege exec level 7 clear interface
privilege exec level 7 clear

That command isn't valid my friend
XXX-rtr-08(config)#privilege mode ?
% Unrecognized command
XXX-rtr-08(config)#privilege mode ^Z ^
% Invalid input detected at '^' marker.
XXX-rtr-08#sh ver
Cisco Internetwork Operating System Software
IOS (tm) 7200 Software (C7200-JS-M), Version 12.3(6a), RELEASE SOFTWARE (fc4)

Configure interface

Hello,
does anybody know if it is possible using aaa and privilage level commands to let a user to configure a specific interface on Catalyst 2950 switch (IOS version 12.1(22)EA4) ? For example, a FastEthernet interface but not the Giga interface.
Thanks in advance.
Maxime Frolov

Hello,
I think I can let a user with a privelege level 3 to configure interfaces if I put the following commands in the config :
username labo2 privilege 3 secret 5 XXXXXXXXXXX
privilege configure level 3 interface
privilege interface level 3 duplex
privilege interface level 3 speed
etc..
The problem is the user labo2 will be able to configure speed not only ont the FastEthenet interfaces but also ont the Giga interfaces. Do you know if there is any way to avoid it or it's just impossible.
Thanks.
Maxime

CryptAcquireContext failing with ERROR_FILE_NOT_FOUND (2L) when user not logged on Windows 8.1

I am having a hard time migrating a C++ CryptoAPI-based application that currently runs on Windows Server 2008 to Windows 8.1. The scenario is:
This application is eventually triggered by WatchDog.exe, which in its turn is triggered when the computer is started by Windows' Task Scheduler.
Task Scheduler uses the following rules to start the WatchDog.exe:
A Administrator User Account;
Run Whether user is logged on or not;
UNCHECKED: Do not store password. The task will only have access to local resources;
Run with Highest Privileges;
Configure for Win 8.1;
Triggered at system startup.
The server sits there, nobody logged, until in a given scenario WatchDog.exe starts the application. Application log confirms that the owner of the process (GetUserName)
is the very same user Task Scheduler used to trigger WatchDog.exe.
It turns out that this application works fine in Windows Server 2008, but in windows 8.1 a call to CryptAcquireContext fails
with return code ERROR_FILE_NOT_FOUND (2L). The odd thing is that the application will NOT fail if, when started, the user is physically logged
on the machine, although it was not the user who started the application manually.
I took a look at the documentation and
found:
"The profile of the user is not loaded and cannot be found. This happens when the application impersonates a user, for example, the IUSR_ComputerName account."
I had never heard of impersonification, so I made a research and found the APIs LogonUser,ImpersonateLoggedOnUser and RevertToSelf.
I then updated the application in this way:
HANDLE hToken;
if (! LogonUser(L"admin", L".", L"XXXXXXXX", LOGON32_LOGON_BATCH, LOGON32_PROVIDER_DEFAULT, &hToken))
logger->log (_T("Error logging on."));
else
logger->log (PMLOG_LEVEL_TRACE, _T("Logged on."));
if (! ImpersonateLoggedOnUser(hToken))
logger->log (_T("Error impersonating."));
else
logger->log (_T("Impersonated."));
err = XXXXXXXXX(); // calls function which will execute CryptAcquireContext
if (! RevertToSelf())
logger->log (_T("Error reverting."));
else
logger->log (_T("Reverted."));
Excerpt with the call to CryptAcquireContext:
// Get the handle to the default provider.
if(! CryptAcquireContext(&hCryptProv, cryptContainerName, MS_ENHANCED_PROV, PROV_RSA_FULL, 0))
DWORD e = GetLastError();
_stprintf_s (logMsg, 1000, _T("Error %ld acquiring cryptographic provider."), e);
cRSALogger->log (logMsg);
return ERR_CCRYPT_NO_KEY_CONTAINER;
cRSALogger->log (_T("Cryptographic provider acquired."));
As the result, I got the log:
[2015/01/08 20:53:25-TRACE] Logged on.
[2015/01/08 20:53:25-TRACE] Impersonated.
[2015/01/08 20:53:26-ERROR] Error 2 acquiring cryptographic provider.
[2015/01/08 20:53:26-TRACE] Reverted.
That seems to show that impersonation is working properly, but still I get Error 2 (ERROR_FILE_NOT_FOUND) on CryptAcquireContext.
Summary:
On Windows Server 2008, the very same application runs properly even without the calls to LogonUser/Impersonate/Revert.
On Windows 8.1, the application, with or without the calls to LogonUser/Impersonate/Revert, will only work properly if the user is logged on (which
is not acceptable).
Any thoughts where I can run to in order to get this working on windows 8.1?
Thank in advance,
Dan

There are a couple of issues.
Based on the parameters being used in CryptAcquireContext(). A profile needs to be loaded and your app has to be running as the same user who created the keyset. (which is why it works when a user is logged on Windows 8.1) Also, impersonation
does not load your user profile, you need to call LoadUserProfile(). It seems like you should be using a machine keyset for your scenario if you want to do this when nobody is logged on.
Take a look at the following KB article for more information.
https://support.microsoft.com/kb/238187?wa=wsignin1.0
thanks
Frank K [MSFT]

Workflow Manager and SharePoint Designer publishing error

Hello all,
I'm hoping for some help in fixing this issue.
I've been trying to publish a workflow using SharePoint Designer only to find that I get this error:
"Errors were found when compilint the workflow. The workflow files were saved but cannot be run."
After clicking on the advanced button it shows error:
System.InvalidOperationException: Operation failed with error Microsoft.Workflow.Client.WorkflowCommunicationException: The request was aborted: The request was canceled. Client ActivityId : 6a78ad9c-6ac6-f03a-0680-003bd46e5f68. ---> System.Net.WebException:
The request was aborted: The request was canceled. ---> Microsoft.SharePoint.SPException: The requested operation requires an HTTPS (SSL) channel.
Ensure that the target endpoint address supports SSL and try again.
Target endpoint address:
Note: the message cuts off after the "Target endpoint address".
Looking on the SharePoint server, when I try and pull up the Workflow Manager site (https://localhost:12290/) I get this response:
<?xml version="1.0"?>
xmlns:i="http://www.w3.org/2001/XMLSchema-instance">
<Code>AuthorizationError</Code><message><Message>The caller does not have the necessary
permissions required for this operation. Permissions granted: None. Required permissions: ReadScope.</Message></message></Error>
I am running this farm with HTTPS and I have registered the SP workflow service with the appropriate application. I have also set the Workflow Management Site bindings in IIS to utilize the same certificate as the default SharePoint site.
At this point, I don't know if the error that I received from Designer is related to the Site error, although I do know that I also have a Development environment that is able to publish workflows just fine. However, this farm uses HTTP rather than HTTPS
so I can only assume that the differences are what's causing the issue. I would appreciate any help that anyone can offer. Thanks!

Hi,
As I understand, you encountered the issue when you published a workflow on SharePoint 2013 workflow platform.
I wonder does it work well before when using 2013 workflow platform? If it works before, did you install any updates or change the configuration to the workflow related settings?
If this is the first time after you installed workflow manager 2013, then I’d recommend you try re-registering workflow service per the link below and post the result:
http://technet.microsoft.com/en-us/library/jj663115(v=office.15).aspx
http://technet.microsoft.com/en-us/library/jj658588(v=office.15).aspx
From the message you accessed workflow host uri, please make sure the account to wfsetup and wfservice account are both in wfadmins group.
http://blogs.msdn.com/b/briangre/archive/2013/02/20/least-privilege-configuration-for-windows-azure-workflow-with-sharepoint-2013.aspx
Regards,
Rebecca Tu
TechNet Community Support

Port Forward in Cisco series 800

Dear Support
below the configuration of Cisco Series 800 Router that Has VDSL port of internet , the configuration as below :
i add three command
what is required in order to make port forward
ip nat inside source static tcp 8000 10.10.10.10 8000 dilar 0
ip nat inside source static tcp 554 10.10.10.10 554 dilar 0
ip access list extended 100
permit ip any any
what is required to make port forward to the local ip address 10.10.10.10 from outside interface that is VDSL port ?
! Last configuration change at 10:47:44 KSA Wed Apr 22 2015 by aamalsup
version 15.2
no service pad
service timestamps debug datetime msec
service timestamps log datetime
service password-encryption
hostname AamalNet
boot-start-marker
boot-end-marker
logging buffered 51200 warnings
enable secret level 2 5 $1$Y4PF$K6TQ5wf0gcHiO5IxvLZba0
enable secret level 5 5 $1$WZeO$BzTCl0C0e1078CWxExJK0/
enable secret 5 $1$plq6$P5HVL/tR81cs0GFDrD.0V/
aaa new-model
aaa authentication login default local
aaa authentication login sdm_vpn_xauth_ml_1 local
aaa authentication login sdm_vpn_xauth_ml_2 local
aaa authorization exec default local
aaa authorization network sdm_vpn_group_ml_1 local
aaa session-id common
clock timezone KSA 3 0
crypto pki trustpoint TP-self-signed-1682106276
enrollment selfsigned
subject-name cn=IOS-Self-Signed-Certificate-1682106276
revocation-check none
rsakeypair TP-self-signed-1682106276
crypto pki certificate chain TP-self-signed-1682106276
certificate self-signed 02
30820250 308201B9 A0030201 02020102 300D0609 2A864886 F70D0101 04050030
31312F30 2D060355 04031326 494F532D 53656C66 2D536967 6E65642D 43657274
69666963 6174652D 31363832 31303632 3736301E 170D3032 30333031 30303038
35315A17 0D323030 31303130 30303030 305A3031 312F302D 06035504 03132649
4F532D53 656C662D 5369676E 65642D43 65727469 66696361 74652D31 36383231
30363237 3630819F 300D0609 2A864886 F70D0101 01050003 818D0030 81890281
8100C2F3 49897460 71FEB259 7794B7C6 D398958A 2D338F0F C69F0E75 1137B16C
C261A275 8416DAF6 FC19AA6E 50024019 66CE4DB8 3AFAB6FE CE892B42 86A93490
97259E47 D740B2F4 9AA2D307 7B676841 2CAAA879 D945A6FD 717B507F 77399332
1644CEDE 884BF133 ACFBBC80 9869A104 54CC3EEE 9D521378 EC762D86 C3F0ABC9
CA990203 010001A3 78307630 0F060355 1D130101 FF040530 030101FF 30230603
551D1104 1C301A82 18417761 6C416D61 6C792E61 77616C6E 65742E6E 65742E73
61301F06 03551D23 04183016 80149ADD A651C9F9 F8369354 5C904777 090FEB75
72E0301D 0603551D 0E041604 149ADDA6 51C9F9F8 3693545C 90477709 0FEB7572
E0300D06 092A8648 86F70D01 01040500 03818100 50ACCA98 1A5FCCAD FC61D703
A8589B02 AFB8CD47 BD1CC7B0 B095C97F AA0604A8 F8495053 C8A9CBB9 644F5674
318A7AA0 873250AD 1DE28CE2 BE21ED19 BF212CF7 E2A97CFB FFA62F1E 643CEDFE
90D02109 719FD4D3 98E6C40B D61CE89C D2426C1E 3CBD9FBE 397F7F7C F1DD279E
14F8BB2D ABFA784B 6E04274B EDCBFC8F A805E91D
    quit
ip cef
no ip dhcp use vrf connected
ip dhcp excluded-address 10.10.10.1
ip dhcp excluded-address 10.10.11.1
ip dhcp pool lan
import all
network 10.10.10.0 255.255.255.0
default-router 10.10.10.1
dns-server 212.93.192.4 212.93.192.5
lease 0 2
ip dhcp pool wireless
import all
network 10.10.11.0 255.255.255.0
default-router 10.10.11.1
dns-server 212.93.192.4 212.93.192.5
lease 0 2
no ip domain lookup
ip domain name aamal.net.sa
ip name-server 212.93.192.4
ip name-server 212.93.192.5
no ipv6 cef
cwmp agent
enable download
enable
session retry limit 10
management server password 7 094D4308151612001D05072F
management server url http://aamalservice.aamal.net.sa:9090
license udi pid C887VA-W-E-K9 sn FCZ17459018
archive
log config
hidekeys
username k privilege 15 password 7 020D
username admin privilege 15 password 7 14161606050A
controller VDSL 0
crypto isakmp policy 1
encr 3des
authentication pre-share
group 2
crypto isakmp client configuration group aamalnet
key aamalnet
dns 212.93.192.4 212.93.192.5
include-local-lan
dhcp server 10.10.10.1
max-users 10
netmask 255.255.255.0
crypto isakmp profile sdm-ike-profile-1
   match identity group aamalnet
   client authentication list sdm_vpn_xauth_ml_2
   isakmp authorization list sdm_vpn_group_ml_1
   client configuration address respond
   virtual-template 1
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
mode tunnel
crypto ipsec profile SDM_Profile1
set security-association idle-time 60
set transform-set ESP-3DES-SHA
set isakmp-profile sdm-ike-profile-1
bridge irb
interface ATM0
no ip address
no atm ilmi-keepalive
interface ATM0.1 point-to-point
pvc 0/35
pppoe-client dial-pool-number 1
interface Ethernet0
no ip address
shutdown
interface FastEthernet0
no ip address
interface FastEthernet1
no ip address
interface FastEthernet2
no ip address
interface FastEthernet3
no ip address
interface Virtual-Template1 type tunnel
ip unnumbered Dialer0
tunnel mode ipsec ipv4
tunnel protection ipsec profile SDM_Profile1
interface Wlan-GigabitEthernet0
description Internal switch interface connecting to the embedded AP
switchport mode trunk
no ip address
interface wlan-ap0
description Embedded Service module interface to manage the embedded AP
ip unnumbered Vlan1
interface Vlan1
description $ETH-SW-LAUNCH$$INTF-INFO-HWIC 4ESW$
ip address 10.10.10.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip tcp adjust-mss 1452
interface Vlan2
no ip address
bridge-group 2
interface Dialer0
ip address negotiated
ip mtu 1452
ip nat outside
ip virtual-reassembly in
encapsulation ppp
dialer pool 1
dialer-group 1
ppp authentication chap callin
ppp chap hostname [email protected]
ppp chap password 7 0007145E2E5A05522E1858
no cdp enable
interface BVI2
ip address 10.10.11.1 255.255.255.0
ip nat inside
ip virtual-reassembly in
ip forward-protocol nd
ip http server
ip http access-class 23
ip http authentication local
ip http secure-server
ip http timeout-policy idle 60 life 86400 requests 10000
ip nat inside source list 1 interface Dialer0 overload
ip route 0.0.0.0 0.0.0.0 Dialer0
access-list 1 remark SDM_ACL Category=2
access-list 1 permit 10.10.10.0 0.0.0.255
access-list 1 permit 10.10.11.0 0.0.0.255
access-list 23 permit 212.93.196.0 0.0.0.255
access-list 23 permit 212.93.192.0 0.0.0.255
access-list 23 permit 212.93.193.0 0.0.0.255
access-list 23 permit 10.10.10.0 0.0.0.255
access-list 23 permit 10.10.11.0 0.0.0.255
dialer-list 1 protocol ip permit
no cdp run
snmp-server community private RW
snmp-server community public RO
bridge 1 protocol ieee
bridge 1 route ip
bridge 2 protocol ieee
bridge 2 route ip
privilege interface level 5 encapsulation
privilege interface level 5 description
privilege interface level 5 no encapsulation
privilege interface level 5 no description
privilege interface level 5 no
privilege configure level 5 ip route
privilege configure level 5 interface
privilege configure level 5 controller
privilege configure level 5 ip
privilege exec level 5 copy running-config tftp
privilege exec level 5 copy running-config
privilege exec level 5 copy
privilege exec level 5 write memory
privilege exec level 5 write
privilege exec level 5 configure terminal
privilege exec level 5 configure
privilege exec level 5 show processes cpu
privilege exec level 5 show processes
privilege exec level 2 show running-config
privilege exec level 5 show configuration
privilege exec level 2 show
privilege exec level 5 clear counters
privilege exec level 5 clear
banner exec
CC
% Password expiration warning.
Cisco Router and Security Device Manager (SDM) is installed on this device and
it provides the default username "cisco" for one-time use. If you have already
used the username "cisco" to login to the router and your IOS image supports the
"one-time" user option, then this username has already expired. You will not be
able to login to the router with this username after you exit this session.
It is strongly suggested that you create a new username with a privilege level
of 15 using the following command.
username <myuser> privilege 15 secret 0 <mypassword>
Replace <myuser> and <mypassword> with the username and password you want to
use.
banner login
CC
********STC AamalNet Service****************************************
********Authorize Access Only. For more Support Call 909************
line con 0
privilege level 15
no modem enable
line aux 0
line 2
no activation-character
no exec
transport preferred none
transport input all
stopbits 1
line vty 0 4
access-class 23 in
privilege level 2
transport input telnet ssh
scheduler max-task-time 5000
scheduler allocate 20000 1000
end

Hello,
Sure.
What version are you running?
Regards,

How to protect process model being modified (using Teststand3.1)?

I'm developing a custom Process model, and don't want to be modified by others. I know there's a password protection function in Teststand3.5 but not available in Teststand3.1. Is there any other methods to prevent my process model being modified by others in Teststand3.1??
Thanks!
Jacky

Protect from whom? Are you using the user manager and are you checking privileges? If you want to protect the process model fro other TestStand administrators, I'm not sure what you can do but the default privileges prevent operator and technicians from editing a sequence file or process model and if you can use the user manager to change the Developer profile Privileges>Configure>Edit Process Model to false.

Radius Authorization question

Can you configure Radius authorization to access a router or not.
I am confused because the Practical Studies book says "Use the local database for authorization instead of RADIUS because is incapable of understanding CLI":
aaa new-model
aaa authentication login default group radius
aaa authorization default local
Now in the Cisco website, says you can after configuring the following:
Cisco Secure NT RADIUS
Follow these steps to configure the server. http://www.cisco.com/en/US/tech/tk59/technologies_tech_note09186a008009465c.shtml
IETF, Service-type (attribute 6) = Nas-Prompt
In the CiscoRADIUS area, check AV-Pair, and in the rectangular box underneath, enter shell:priv-lvl=7.
aaa new-model
aaa authentication login default tacacs+|radius local
aaa authorization exec tacacs+|radius local
username backup privilege xxx password xxxx
radius-server host 171.x.x.x
radius-server key xxxx
privilege configure level 7 snmp-server host
privilege configure level 7 snmp-server enable
privilege configure level 7 snmp-server
privilege exec level 7 ping
privilege exec level 7 configure terminal
privilege exec level 7 configure

You can specify the exec privelege level for certain user on specific AAA client using RADIUS.
Based on that certain user can run all the commands that are part of that particular Privelege exec level.
Now if you want to allow certain set of commands from particular privilege exec level you need to use tacacs+ protocol
and enable command authorization sets command on your AAA server.
Check the following links as references on command authorization:
http://www.cisco.com/en/US/partner/products/ps9911/products_configuration_example09186a0080bc8514.shtml
http://www.cisco.com/en/US/partner/products/sw/secursw/ps2086/products_configuration_example09186a00808d9138.shtml
Please make sure to rate correct answers

Command authorisation in 8.4 for object network

Hi guys,
I just tried to do a quick privilege level setup for a user to limit access to asa. User should be able to add nat's to configuration.
ASA 8.4 is in question and trying the following does not seem to work:
privilege configure level 3 command object
gives me :
ERROR: specified command 'object' not found in any mode.
It looks like localy this cannot be done or I am doing something wrong?
Thnx...

Hi
Remember that there is object-group and Object network, can you try to put Object Network and avoid any confusions of the ASA? Or maybe Add both? Or better Yet, if he wants to create a nat, he will need to add the NAT commands inside the object or global configuration mode. Try to narrow it down to NAT command only.
Mike.

_SYS_BIC Privileges Configuration

Similar Messages

Maybe you are looking for