Configuring Command Authorization - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Configuring AAA for System Administrators
This command also enables support of administrative user privilege levels from RADIUS, which can be
used in conjunction with local command privilege levels for command authorization. See the
"Configuring Local Command Authorization" section on page 40-10
To configure the user for management authorization, see the following requirements for each AAA
Step 2
server type or local user:
•
•
•
Configuring Command Authorization
If you want to control the access to commands, the security appliance lets you configure command
authorization, where you can determine which commands that are available to a user. By default when
you log in, you can access user EXEC mode, which offers only minimal commands. When you enter the
enable command (or the login command when you use the local database), you can access privileged
EXEC mode and advanced commands, including configuration commands.
This section includes the following topics:
•
•
•
Cisco Security Appliance Command Line Configuration Guide
40-8
RADIUS or LDAP (mapped) users—Configure the Service-Type attribute for one of the following
values. (To map LDAP attributes, see the
admin—Allows full access to any services specified by the aaa authentication console
–
commands.
–
nas-prompt—Allows access to the CLI when you configure the aaa authentication {telnet |
ssh} console command, but denies ASDM configuration access if you configure the aaa
authentication http console command. ASDM monitoring access is allowed. If you configure
enable authentication with the aaa authentication enable console command, the user cannot
access privileged EXEC mode using the enable command.
remote-access—Denies management access. The user cannot use any services specified by the
–
aaa authentication console commands (excluding the serial keyword; serial access is
allowed).
TACACS+ users—Authorization is requested with the "service=shell" and the server responds with
PASS or FAIL.
PASS, privilege level 1—Allows full access to any services specified by the aaa authentication
–
console commands.
PASS, privilege level 2 and higher—Allows access to the CLI when you configure the aaa
–
authentication {telnet | ssh} console command, but denies ASDM configuration access if you
configure the aaa authentication http console command. ASDM monitoring access is allowed.
If you configure enable authentication with the aaa authentication enable console command,
the user cannot access privileged EXEC mode using the enable command.
FAIL—Denies management access. The user cannot use any services specified by the aaa
–
authentication console commands (excluding the serial keyword; serial access is allowed).
Local users—Set the service-type command. See the
page
13-7. By default, the service-type is admin, which allows full access to any services specified
by the aaa authentication console commands.
Command Authorization Overview, page 40-9
Configuring Local Command Authorization, page 40-10
Configuring TACACS+ Command Authorization, page 40-13
Chapter 40
for more information.
"LDAP Attribute Mapping" section on page
"Configuring the Local Database" section on
Managing System Access
13-14.)
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
