Cisco FirePOWER ASA 5500 series Configuration Manual page 779

Chapter 40 Managing System Access
When configuring command authorization with a TACACS+ server, do not save your configuration until
you are sure it works the way you want. If you get locked out because of a mistake, you can usually
recover access by restarting the security appliance. If you still get locked out, see the
a Lockout" section on page
Be sure that your TACACS+ system is completely stable and reliable. The necessary level of reliability
typically requires that you have a fully redundant TACACS+ server system and fully redundant
connectivity to the security appliance. For example, in your TACACS+ server pool, include one server
connected to interface 1, and another to interface 2. You can also configure local command authorization
as a fallback method if the TACACS+ server is unavailable. In this case, you need to configure local users
and command privilege levels according to the
page
This section includes the following topics:
•
•
•
TACACS+ Command Authorization Prerequisites
Complete the following tasks as part of your command authorization configuration:
•
•
Configuring Commands on the TACACS+ Server
You can configure commands on a Cisco Secure Access Control Server (ACS) TACACS+ server as a
shared profile component, for a group, or for individual users. For third-party TACACS+ servers, see
your server documentation for more information about command authorization support.
See the following guidelines for configuring commands in Cisco Secure ACS Version 3.1; many of these
guidelines also apply to third-party servers:
•
Note
•
•
OL-10088-01
40-15.
40-7.
TACACS+ Command Authorization Prerequisites, page 40-11
Configuring Commands on the TACACS+ Server, page 40-11
Enabling TACACS+ Command Authorization, page 40-14
Configure CLI authentication (see the
page 40-7).
Configure enable authentication (see the
Mode" section on page 40-5).
The security appliance sends the commands to be authorized as "shell" commands, so configure the
commands on the TACACS+ server as shell commands.
Cisco Secure ACS might include a command type called "pix-shell." Do not use this type for
security appliance command authorization.
The first word of the command is considered to be the main command. All additional words are
considered to be arguments, which need to be preceded by permit or deny.
For example, to allow the show running-configuration aaa-server command, add show
running-configuration to the command box, and type permit aaa-server in the arguments box.
You can permit all arguments of a command that you do not explicitly deny by selecting the Permit
Unmatched Args check box.
For example, you can configure just the show command, and then all the show commands are
allowed. We recommend using this method so that you do not have to anticipate every variant of a
command, including abbreviations and ?, which shows CLI usage (see
Configuring AAA for System Administrators
"Configuring Command Authorization" section on
"Configuring Local Command Authorization" section on
"Configuring Authentication To Access Privileged EXEC
Cisco Security Appliance Command Line Configuration Guide
"Recovering from
Figure 40-1).
40-11