Cisco ASA 5505 Configuration Manual page 685

Chapter 32 Configuring Management Access
•
•
Configuring Command Authorization
If you want to control the access to commands, the adaptive security appliance lets you configure
command authorization, where you can determine which commands that are available to a user. By
default when you log in, you can access user EXEC mode, which offers only minimal commands. When
you enter the enable command (or the login command when you use the local database), you can access
privileged EXEC mode and advanced commands, including configuration commands.
This section includes the following topics:
•
•
•
Command Authorization Overview
This section describes command authorization and includes the following topics:
•
•
•
OL-20339-01
Service-Type 7 (NAS prompt)—Allows access to the CLI when you configure the Telnet or SSH
–
authentication options, but denies ASDM configuration access if you configure the HTTP
option. ASDM monitoring access is allowed. If you configure enable authentication with the
Enable option, the user cannot access privileged EXEC mode using the enable command.
Service-Type 5 (Outbound)—Denies management access. The user cannot use any services
–
specified by the Authentication tab options (excluding the Serial option; serial access is
allowed). Remote-access (IPSec and SSL) users can still authenticate and terminate their
remote-access sessions.
TACACS+ users—Authorization is requested with the "service=shell" and the server responds with
PASS or FAIL.
– PASS, privilege level 1—Allows full access to any services specified by the Authentication tab
options.
– PASS, privilege level 2 and higher—Allows access to the CLI when you configure the Telnet or
SSH authentication options, but denies ASDM configuration access if you configure the HTTP
option. ASDM monitoring access is allowed. If you configure enable authentication with the
Enable option, the user cannot access privileged EXEC mode using the enable command.
FAIL—Denies management access. The user cannot use any services specified by the
–
Authentication tab options (excluding the Serial option; serial access is allowed).
Local users—Configure the Access Restriction option. See the
page 31-18. By default, the access restriction is Full Access, which allows full access to any services
specified by the Authentication tab options.
Command Authorization Overview, page 32-13
Configuring Local Command Authorization, page 32-15
Configuring TACACS+ Command Authorization, page 32-18
Supported Command Authorization Methods, page 32-14
About Preserving User Credentials, page 32-14
Security Contexts and Command Authorization, page 32-15
Configuring AAA for System Administrators
"Adding a User Account" section on
Cisco ASA 5500 Series Configuration Guide using ASDM
32-13