Cisco PIX 500 Series Configuration Manual page 904
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Configuring AAA for System Administrators
mode {enable | configure}—If a command can be entered in user EXEC/privileged EXEC mode as
•
well as configuration mode, and the command performs different actions in each mode, you can set
the privilege level for these modes separately:
command command—The command you are configuring. You can only configure the privilege
•
level of the main command. For example, you can configure the level of all aaa commands, but not
the level of the aaa authentication command and the aaa authorization command separately.
To support administrative user privilege levels from RADIUS, enter the following command:
Step 2
hostname(config)# aaa authorization exec authentication-server
Without this command, the security appliance only supports privilege levels for local database users and
defaults all other types of users to level 15.
This command also enables management authorization for local, RADIUS, LDAP (mapped), and
TACACS+ users. See the
section on page 40-7
To enable the use of local command privilege levels, which can be checked against the privilege level of
Step 3
users in the local database, RADIUS server, or LDAP server (with mapped attributes), enter the
following command:
hostname(config)# aaa authorization command LOCAL
When you set command privilege levels, command authorization does not take place unless you
configure command authorization with this command.
For example, the filter command has the following forms:
filter (represented by the configure option)
•
show running-config filter
•
clear configure filter
•
You can set the privilege level separately for each form, or set the same privilege level for all forms by
omitting this option. For example, set each form separately as follows.
hostname(config)# privilege show level 5 command filter
hostname(config)# privilege clear level 10 command filter
hostname(config)# privilege cmd level 10 command filter
Alternatively, you can set all filter commands to the same level:
hostname(config)# privilege level 5 command filter
The show privilege command separates the forms in the display.
The following example shows the use of the mode keyword. The enable command must be entered from
user EXEC mode, while the enable password command, which is accessible in configuration mode,
requires the highest privilege level.
hostname(config)# privilege cmd level 0 mode enable command enable
hostname(config)# privilege cmd level 15 mode cmd command enable
hostname(config)# privilege show level 15 mode cmd command enable
This example shows an additional command, the configure command, that uses the mode keyword:
hostname(config)# privilege show level 5 mode cmd command configure
Cisco Security Appliance Command Line Configuration Guide
40-12
enable—Specifies both user EXEC mode and privileged EXEC mode.
–
configure—Specifies configuration mode, accessed using the configure terminal command.
–
"Limiting User CLI and ASDM Access with Management Authorization"
for more information.
Chapter 40
Managing System Access
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
