AAA for System Administrators
Enabling TACACS+ Command Authorization
Before you enable TACACS+ command authorization, be sure that you are logged in to the FWSM as a
user that is defined on the TACACS+ server, and that you have the necessary command authorization to
continue configuring the FWSM. For example, you should log in as an admin user with all commands
authorized. Otherwise, you could become unintentionally locked out.
To perform command authorization using a TACACS+ server, enter the following command:
hostname(config)# aaa authorization command tacacs+_server_group [LOCAL]
You can configure the FWSM to use the local database as a fallback method if the TACACS+ server is
unavailable. To enable fallback, specify the server group name followed by LOCAL (LOCAL is case
sensitive). We recommend that you use the same username and password in the local database as the
TACACS+ server because the FWSM prompt does not give any indication which method is being used.
Be sure to configure users in the local database (see the
page
on page
Configuring Command Accounting
You can send accounting messages to the TACACS+ accounting server when you enter any command
other than show commands at the CLI. If you customize the command privilege level using the privilege
command (see the
page
level. The FWSM does not account for commands that are below the minimum privilege level.
To enable command accounting, enter the following command:
hostname(config)# aaa accounting command [privilege level] server-tag
Where level is the minimum privilege level and server-tag is the name of the TACACS+ server group
that to which the FWSM should send command accounting messages. The TACACS+ server group
configuration must already exist. For information about configuring a AAA server group, see the
"Identifying AAA Server Groups and Servers" section on page
Viewing the Current Logged-In User
To view the current logged-in user, enter the following command:
hostname# show curpriv
See the following sample show curpriv command output. A description of each field follows.
hostname# show curpriv
Username : admin
Current privilege level : 15
Current Mode/s : P_PRIV
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
23-22
show pager
–
clear pager
–
quit
–
show version
–
11-7) and command privilege levels (see the
23-15).
"Assigning Privilege Levels to Commands and Enabling Authorization" section on
23-16), you can limit which commands the FWSM accounts for by specifying a minimum privilege
Chapter 23
Configuring Management Access
"Configuring the Local Database" section on
"Configuring Local Command Authorization" section
11-9.
OL-20748-01