Tacacs+ Command Authorization Prerequisites; Configuring Commands On The Tacacs+ Server - Cisco Catalyst 6500 Series Configuration Manual
Catalyst 6500 series switch and
cisco 7600 series router firewall services
Hide thumbs
Also See for Catalyst 6500 Series:
- Software configuration manual (570 pages) ,
- Configuration note (212 pages) ,
- Installation manual (194 pages)
Table of Contents
Advertisement
Configuring Command Authorization
When configuring command authorization with a TACACS+ server, do not save your configuration until
you are sure it works the way you want. If you get locked out because of a mistake, you can usually
recover access by restarting the FWSM. If you still get locked out, see the
section on page
Be sure that your TACACS+ system is completely stable and reliable. The necessary level of reliability
typically requires that you have a fully redundant TACACS+ server system and fully redundant
connectivity to the FWSM. For example, in your TACACS+ server pool, include one server connected
to interface 1, and another to interface 2. You can also configure local command authorization as a
fallback method if the TACACS+ server is unavailable. In this case, you need to configure local users
and command privilege levels according to the
page
This section includes the following topics:
•
•
•
TACACS+ Command Authorization Prerequisites
Complete the following tasks as part of your command authorization configuration:
•
•
Configuring Commands on the TACACS+ Server
You can configure commands on a CiscoSecure Access Control Server (ACS) TACACS+ server as a
shared profile component, for a group, or for individual users. For third-party TACACS+ servers, see
your server documentation for more information about command authorization support.
See the following guidelines for configuring commands on a CiscoSecure ACS TACACS+ server
Version 3.1; many of these guidelines also apply to third-party servers:
•
Note
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
12-14
12-19.
12-10.
TACACS+ Command Authorization Prerequisites, page 12-14
Configuring Commands on the TACACS+ Server, page 12-14
Enabling TACACS+ Command Authorization, page 12-17
Configure CLI authentication. (See the
page
12-8.)
Configure enable authentication. (See the
section on page
12-8.)
The FWSM sends the commands to be authorized as "shell" commands, so configure the commands
on the TACACS+ server as shell commands.
The Cisco Secure ACS server might include a command type called "pix-shell." Do not use this
type for FWSM command authorization.
The first word of the command is considered to be the main command. All additional words are
considered to be arguments, which need to be preceded by permit or deny.
For example, to allow show aaa, aaa authentication, and aaa authorization command commands,
add aaa to the command box, and type permit authentication and permit authorization command
in the arguments box. The show aaa command must be listed separately. (See
Figure
12-2.)
"Configuring Local Command Authorization" section on
"Configuring Authentication for CLI Access" section on
"Configuring Authentication to Access Privileged Mode"
Chapter 12
Configuring AAA
"Recovering from a Lockout"
Figure 12-1
and
OL-6392-01
Advertisement
Table of Contents
Troubleshooting
