Configuring Command Authorization; Command Authorization Overview; Configuring Local Command Authorization - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Configuring Command Authorization
Configuring Command Authorization
By default when you log in, you can access unprivileged mode, which offers only minimal commands.
When you enter the enable command (or the login command when you use the local database), you can
access privileged mode and advanced commands, including configuration commands. If you want to
control the access to commands, the FWSM lets you configure command authorization, where you can
determine which commands that are available to a user.
This section includes the following topics:
•
•
•
Command Authorization Overview
You can use one of two command authorization methods:
•
Note
•
Configuring Local Command Authorization
Local command authorization places each user at a privilege level, and each user can enter any command
at their privilege level or below. The FWSM lets you assign commands to one of 16 privilege levels (0
to 15). By default, each command is assigned either to privilege level 0 or to privilege level 15.
This section includes the following topics:
•
•
•
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
12-10
Command Authorization Overview, page 12-10
Configuring Local Command Authorization, page 12-10
Configuring TACACS+ Command Authorization, page 12-13
Local database—Configure the command privilege levels on the FWSM. When a local user
authenticates with the enable command (or logs in with the login command), the FWSM places that
user in the privilege level that is defined by the local database. The user can then access commands
at the user's privilege level and below.
You can use local command authorization without any users in the local database and without
CLI or enable authentication. Instead, when you enter the enable command, you enter the
system enable password, and the FWSM places you in level 15. You can then create enable
passwords for every level, so that when you enter enable n (2 to 15), the FWSM places you in
level n. These levels are not used unless you turn on local command authorization (see
"Configuring Local Command Authorization"
Cisco 7600 Series Router Firewall Services Module Command Reference for more information
about enable.)
TACACS+ server—On the TACACS+ server, configure the commands that a user or group can use
after they authenticate for CLI access. Every command that a user enters at the CLI is checked with
the TACACS+ server.
Local Command Authorization Prerequisites, page 12-11
Default Command Privilege Levels, page 12-11
Assigning Privilege Levels to Commands and Enabling Authorization, page 12-11
Viewing Command Privilege Levels, page 12-13
Chapter 12
below). (See the Catalyst 6500 Series Switch and
Configuring AAA
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
