示例:配置管理角色
此示例演示如何为除所有其他管理角色以外的独特的唯一权限集配置单独的管理角色。
要求
在配置此功能之前,不需要进行设备初始化以外的特殊配置。
概述
此示例配置四个用户:
audit-officer类的audit-admin
crypto-officer类的crypto-admin
security-officer类的security-admin
ids-officer类的ids-admin
配置security-admin类时,将从创建该security-admin类别的用户处撤销创建管理员的特权。新用户和登录的创建由的决定security-officer。
在此示例中,您创建具有与此角色相关的权限标志的审核管理、加密管理员、安全管理员和 ids 管理员。然后,按名称为每个管理角色允许或拒绝对配置语句和命令的访问。这些特定限制优先于也在类中配置的权限标志。例如,只有crypto-admin可以运行request system set-encryption-key命令,这需要拥有security权限标志才能访问。只有security-admin可以包括配置中system time-zone的语句,这需要具有system-control权限标记。
配置
CLI 快速配置
要快速配置此示例,请复制以下命令,将其粘贴到文本文件中,删除任何换行符,更改与网络配置匹配的必要详细信息,将命令复制并粘贴到[edit]层次结构级别的 CLI 中,然后从commit配置模式进入。
set system login class audit-admin permissions
security
set system login class audit-admin permissions
trace
set system login class audit-admin permissions
maintenance
set system login class audit-admin allow-commands
"^clear (log|security log)"
set system login class audit-admin deny-commands
"^clear (security alarms|system login lockout)|^file (copy|delete|rename)|^request
(security|system set-encryption-key)|^rollback|^set date|^show security
(alarms|dynamic-policies|match-policies|policies)|^start shell";
set system login class audit-admin security-role
audit-administrator
set system login class crypto-admin permissions
admin-control
set system login class crypto-admin permissions
configure
set system login class crypto-admin permissions
maintenance
set system login class crypto-admin permissions
security-control
set system login class crypto-admin permissions
system-control
set system login class crypto-admin permissions
trace
set system login class crypto-admin allow-commands
"^request system set-encryption-key"
set system login class crypto-admin deny-commands
"^clear (log|security alarms|security log|system login lockout)|^file
(copy|delete|rename)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start
shell"
set system login class crypto-admin allow-configuration-regexps
"security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .*
manual (authentication|encryption|protocol|spi)" "system fips self-test
after-key-generation"
set system login class crypto-admin security-role
crypto-administrator
set system login class security-admin permissions
all
set system login class security-admin deny-commands
"^clear (log|security log)|^(clear|show) security alarms alarm-type
idp|^request (security|system set-encryption-key)|^rollback|^start
shell"
set system login class security-admin deny-configuration-regexps
"security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)"
"security ipsec ^vpn$ .* manual (authentication| encryption|protocol|spi)"
"security log cache" "security log exclude .* event-id IDP_.*" "system
fips self-test after-key- generation"
set system login class security-admin security-role
security-administrator
set system login class ids-admin permissions
configure
set system login class ids-admin permissions
security-control
set system login class ids-admin permissions
trace
set system login class ids-admin permissions
maintenance
set system login class ids-admin allow-configuration-regexps
"security alarms potential-violation idp" "security log exclude .*
event-id IDP_.*"
set system login class ids-admin deny-commands
"^clear log|^(clear|show) security alarms (alarm-id|all|newer-than|older- than|process|severity)|^(clear|show) security alarms
alarm-type (authentication|cryptographic-self-test|decryption-failures|encryption-failures| ike-phase1-failures|ike-phase2-failures|key-generation-self-test|
non-cryptographic-self-test|policy|replay-attacks)|^file
(copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|
^set date|^show security (dynamic-policies|match-policies|policies)|^start
shell"
set system login class ids-admin deny-configuration-regexps
"security alarms potential-violation (authentication|cryptographic-self-test|decryption-
failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|
key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)"
set system login class ids-admin security-role
ids-admin
set system login user audit-officer class
audit-admin
set system login user crypto-officer class
crypto-admin
set system login user security-officer class
security-admin
set system login user ids-officer class ids-admin
set system login user audit-officer authentication
plain-text-password
set system login user crypto-officer authentication
plain-text-password
set system login user security-officer authentication
plain-text-password
set system login user ids-officer authentication
plain-text-password
分步过程
下面的示例要求您在配置层次结构中导航各个级别。有关导航 CLI 的信息,请参阅在配置模式中使用 CLI 编辑器。
要在管理角色中配置用户:
创建audit-admin登录类。
[edit]user@host# set system login class audit-admin[edit system login class audit-admin]user@host# set permissions securityuser@host# set permissions traceuser@host# set permissions maintenance- 配置audit-admin登录类限制。[edit system login class audit-admin]user@host# set allow-commands "^clear (log|security log)"user@host# set deny-commands "^clear (security alarms|system login lockout)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell"user@host# set security-role audit-administrator
创建crypto-admin登录类。
[edit]user@host# set system login class crypto-admin[edit system login class crypto-admin]user@host# set permissions admin-controluser@host# set permissions configureuser@host# set permissions maintenanceuser@host# set permissions security-controluser@host# set permissions system-controluser@host# set permissions trace- 配置crypto-admin登录类限制。[edit system login class crypto-admin]user@host# set allow-commands "^request system set-encryption-key"user@host# set deny-commands "^clear (log|security alarms|security log|system login lockout)|^file (copy|delete|rename)|^rollback|^set date|^show security (alarms|dynamic-policies|match-policies|policies)|^start shell"user@host# set allow-configuration-regexps "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)" "system fips self-test after-key-generation"user@host# set security-role crypto-administrator
创建security-admin登录类。
[edit]user@host# set system login class security-admin[edit system login class security-admin]user@host# set permissions all- 配置security-admin登录类限制。[edit system login class security-admin]user@host# set deny-commands "^clear (log|security log)|^(clear|show) security alarms alarm-type idp|^request (security|system set-encryption-key)|^rollback|^start shell"user@host# set deny-configuration-regexps "security alarms potential-violation idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$ .* manual (authentication| encryption|protocol|spi)" "security log cache" "security log exclude .* event-id IDP_.*" "system fips self-test after-key- generation"user@host# set security-role security-administrator
- 创建ids-admin登录类。[edit]user@host# set system login class ids-admin[edit system login class ids-admin]user@host# set permissions configureuser@host# set permissions maintenanceuser@host# set permissions security-controluser@host# set permissions trace
- 配置ids-admin登录类限制。[edit system login class ids-admin]user@host# set allow-configuration-regexps "security alarms potential-violation idp" "security log exclude .* event-id IDP_.*"set system login class ids-admin deny-commands "^clear log|^(clear|show) security alarms (alarm-id|all|newer-than|older- than|process|severity)|^(clear|show) security alarms alarm-type (authentication|cryptographic-self-test|decryption-failures|encryption-failures| ike-phase1-failures|ike-phase2-failures|key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)|^file (copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set date|^show security (dynamic-policies|match-policies|policies)|^start shell"set system login class ids-admin deny-configuration-regexps "security alarms potential-violation (authentication|cryptographic-self-test|decryption-failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)"user@host# set security-role ids-administrator
将用户分配给角色。
[edit]user@host# set system login[edit system login]user@host# set user audit-officer class audit-adminuser@host# set user crypto-officer class crypto-adminuser@host# set user security-officer class security-adminuser@host# set user ids-officer class ids-admin为用户配置密码。
[edit system login]user@host# set user audit-officer authentication plain-text-passworduser@host# set user crypto-officer authentication plain-text-passworduser@host# set user security-officer authentication plain-text-passworduser@host# set user ids-officer authentication plain-text-password
结果
在配置模式下,输入以下设置以确认您的配置: show system命令时,此文件将变成活动配置。如果输出未显示预期的配置,请重复此示例中的说明以更正配置。
[edit]
user@host# show system
system {
login {
class audit-admin {
permissions [ maintenance security trace ];
allow-commands "^clear (log|security log)";
deny-commands "^clear (security alarms|system login lockout)|^file
(copy|delete|rename)|^request (security|system set-encryption-key)|^rollback|^set
date|^show security (alarms|dynamic-policies|match-policies|policies)|^start
shell";
security-role audit-administrator;
}
class crypto-admin {
permissions [ admin-control configure maintenance security-control
system-control trace ];
allow-commands "^request (system set-encryption-key)";
deny-commands "^clear (log|security alarms|security log|system
login lockout)|^file (copy|delete|rename)|^rollback|^set date|^show
security (alarms|dynamic-policies|match-policies|policies)|^start
shell";
allow-configuration-regexps "security (ike|ipsec) (policy|proposal)"
"security ipsec ^vpn$ .* manual (authentication|encryption|protocol|spi)"
"system fips self-test after-key-generation" ;
security-role crypto-administrator;
}
class security-admin {
permissions [all];
deny-commands "^clear (log|security log)|^(clear|show)
security alarms alarm-type idp|^request (security|system set-encryption-key)|^rollback|^start
shell";
deny-configuration-regexps "security alarms potential-violation
idp" "security (ike|ipsec) (policy|proposal)" "security ipsec ^vpn$
.* manual (authentication|encryption|protocol|spi)" "security log
exclude .* event-id IDP_.*" "system fips self-test after-key-generation";
security-role security-administrator;
}
class ids-admin {
permissions [ configure maintenance security-control trace
];
deny-commands "^clear log|^(clear|show) security alarms
(alarm-id|all|newer-than|older-than|process|severity)|^(clear|show)
security alarms alarm-type
(authentication | cryptographic-self-test | decryption-failures
| encryption-failures
| ike-phase1-failures | ike-phase2-failures|key-generation-self-test
|
non-cryptographic-self-test |policy | replay-attacks)
| ^file (copy|delete|rename)
|^request (security|system set-encryption-key) | ^rollback
|
^set date | ^show security (dynamic-policies|match-policies|policies)
|^start shell";
allow-configuration-regexps "security alarms potential-violation
idp" "security log exclude .* event-id IDP_.*";
deny-configuration-regexps "security alarms potential-violation
(authentication|cryptographic-self-test|decryption-
failures|encryption-failures|ike-phase1-failures|ike-phase2-failures|
key-generation-self-test|non-cryptographic-self-test|policy|replay-attacks)"
security-role ids-administrator;
}
user audit-officer {
class audit-admin;
authentication {
encrypted-password "$1$ABC123"; ## SECRET-DATA
}
}
user crypto-officer {
class crypto-admin;
authentication {
encrypted-password "$1$ABC123."; ## SECRET-DATA
}
}
user security-officer {
class security-admin;
authentication {
encrypted-password "$1$ABC123."; ##SECRET-DATA
}
}
user ids-officer {
class ids-admin;
authentication {
encrypted-password "$1$ABC123/"; ## SECRET-DATA
}
}
}
}
如果您完成了设备配置,请输入 commit从配置模式。
针对
确认配置是否正常工作。
验证登录权限
用途
验证当前用户的登录权限。
操作
在操作模式下,输入show cli authorization命令。
user@host>show cli authorizationCurrent user: 'example' class 'super-user'
Permissions:
admin -- Can view user accounts
admin-control-- Can modify user accounts
clear -- Can clear learned network info
configure -- Can enter configuration mode
control -- Can modify any config
edit -- Can edit full files
field -- Can use field debug commands
floppy -- Can read and write the floppy
interface -- Can view interface configuration
interface-control-- Can modify interface configuration
network -- Can access the network
reset -- Can reset/restart interfaces and daemons
routing -- Can view routing configuration
routing-control-- Can modify routing configuration
shell -- Can start a local shell
snmp -- Can view SNMP configuration
snmp-control-- Can modify SNMP configuration
system -- Can view system configuration
system-control-- Can modify system configuration
trace -- Can view trace file settings
trace-control-- Can modify trace file settings
view -- Can view current values and statistics
maintenance -- Can become the super-user
firewall -- Can view firewall configuration
firewall-control-- Can modify firewall configuration
secret -- Can view secret statements
secret-control-- Can modify secret statements
rollback -- Can rollback to previous configurations
security -- Can view security configuration
security-control-- Can modify security configuration
access -- Can view access configuration
access-control-- Can modify access configuration
view-configuration-- Can view all configuration (not including secrets)
flow-tap -- Can view flow-tap configuration
flow-tap-control-- Can modify flow-tap configuration
idp-profiler-operation-- Can Profiler data
pgcp-session-mirroring-- Can view pgcp session mirroring configuration
pgcp-session-mirroring-control-- Can modify pgcp session mirroring configura
tion
storage -- Can view fibre channel storage protocol configuration
storage-control-- Can modify fibre channel storage protocol configuration
all-control -- Can modify any configuration
Individual command authorization:
Allow regular expression: none
Deny regular expression: none
Allow configuration regular expression: none
Deny configuration regular expression: none此输出汇总了登录权限。