Chapter 12
Configuring AAA
Figure 12-6 Specifying Abbreviations
•
Enabling TACACS+ Command Authorization
Before you enable TACACS+ command authorization, be sure that you are logged into the FWSM as a
user that is defined on the TACACS+ server, and that you have the necessary command authorization to
continue configuring the FWSM. For example, you should log in as an admin user with all commands
authorized. Otherwise, you could become unintentionally locked out.
To perform command authorization using a TACACS+ server, enter the following command:
FWSM/contexta(config)# aaa authorization command tacacs+_server_group [LOCAL]
You can configure the FWSM to use the local database as a fallback method if the TACACS+ server is
unavailable. To enable fallback, specify the server group name followed by LOCAL (LOCAL is case
sensitive). We recommend that you use the same username and password in the local database as the
TACACS+ server because the FWSM prompt does not give any indication which method is being used.
OL-6392-01
We recommend that you allow the following basic commands for all users:
show checksum
–
show curpriv
–
enable
–
help
–
show history
–
login
–
–
logout
pager
–
show pager
–
clear pager
–
quit
–
show version
–
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide
Configuring Command Authorization
12-17