Move 6: Configuring Read-Only Web Administrators on USG2000/USG5000 Series Highlighted

Latest reply: Oct 8, 2016 08:56:11 1787 1 0 0

Key Configurations

The device supports hierarchical management of CLI and administrator levels.

l   Command level: 0 to 15 By default, the command level can be 0: Visit level, 1: Monitoring level, 2: Configuration level, and 3: Management level. Level-0 and level-1 commands include ping, tracert, and display commands. Level-2 and level-3 commands are service configuration commands.

l   Administrator level: 0 to 15

Two mechanisms are available for USG2000/USG5000 V300R001:

l   Administrators can use the commands equal to or lower than their administrator levels after logging in. For example, a level-2 administrator can use only level-0, level-1, and level-2 commands.

l   Only level-3 and higher-level administrators can log in to the web UI.

Because of the two mechanisms, you may encounter the following problems when you configure read-only web administrators:

l   If the administrator level is set to 1, the administrator can only view configurations, meeting the read-only requirement. However, because the administrator level is lower than 3, the administrator is not allowed to log in to the web UI.

l   If the administrator level is set to 3, the administrator can log in to the web UI, but can also run all configuration commands, which does not meet the read-only requirement.

How to resolve this problem?

The device provides the command-privilege level rearrange command for changing command levels in a batch. After you run this command, the levels of all commands change based on the following rules:

l   The command levels of level-0 and level-1 commands remain unchanged.

l   The command levels of level-2 commands are elevated to level 10.

l   The command levels of level-3 commands are elevated to level 15.

After command levels are changed in a batch, set the administrator level to a value between 3 and 10. Then the administrator can run visit-level and monitoring-level commands but cannot run configuration-level or management-level commands, meeting the read-only requirement. Because the administrator level is higher than or equal to 3, the administrator can log in to the web UI.

Configuration Example

1.         Set a password for elevating the administrator level to level 15.

[sysname] super password level 15 cipher Admin@123

2.         Elevate the administrator level of the current administrator to level 15.

<sysname> super 15
Password:  Admin@123                                                               
Warning: Now user privilege is level 15, and only those commands whose level is equal to or lower than this level can be used.
Privilege note: 0-VISIT, 1-MONITOR, 2-SYSTEM, 3-MANAGE

3.         Elevate command levels in a batch.

[sysname] command-privilege level rearrange          
The Command levels have been upgraded in batch !    

4.         Configure a read-only web administrator.

[sysname] aaa
[sysname-aaa] local-user readonlyadmin password cipher Admin@123
[sysname-aaa] local-user readonlyadmin service-type web   
[sysname-aaa] local-user readonlyadmin level 3

After the configuration is complete, log in to the web UI as the read-only administrator. You can view the configuration nodes, but when you deliver configurations, errors are reported. In this way, a read-only web administrator is configured.

 20160930154809626.png

  • x
  • convention:

user_2790689
Created Oct 8, 2016 08:56:11 Helpful(0) Helpful(0)

thank you
  • x
  • convention:

Reply

Reply
You need to log in to reply to the post Login | Register

Notice Notice: To protect the legitimate rights and interests of you, the community, and third parties, do not release content that may bring legal risks to all parties, including but are not limited to the following:
  • Politically sensitive content
  • Content concerning pornography, gambling, and drug abuse
  • Content that may disclose or infringe upon others ' commercial secrets, intellectual properties, including trade marks, copyrights, and patents, and personal privacy
Do not share your account and password with others. All operations performed using your account will be regarded as your own actions and all consequences arising therefrom will be borne by you. For details, see " Privacy."
If the attachment button is not available, update the Adobe Flash Player to the latest version!
Login and enjoy all the member benefits

Login and enjoy all the member benefits

Login