Command Authorization Overview - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 40
Managing System Access
Command Authorization Overview
This section describes command authorization, and includes the following topics:
•
•
Supported Command Authorization Methods
You can use one of two command authorization methods:
•
Note
•
Security Contexts and Command Authorization
The following are important points to consider when implementing command authorization with
multiple security contexts:
•
•
OL-12172-03
Supported Command Authorization Methods, page 40-9
Security Contexts and Command Authorization, page 40-9
Local privilege levels—Configure the command privilege levels on the security appliance. When a
local, RADIUS, or LDAP (if you map LDAP attributes to RADIUS attributes) user authenticates for
CLI access, the security appliance places that user in the privilege level that is defined by the local
database, RADIUS, or LDAP server. The user can access commands at the user's privilege level and
below. Note that all users access user EXEC mode when they first log in (commands at level 0 or 1).
The user needs to authenticate again with the enable command to access privileged EXEC mode
(commands at level 2 or higher), or they can log in with the login command (local database only).
You can use local command authorization without any users in the local database and without
CLI or enable authentication. Instead, when you enter the enable command, you enter the
system enable password, and the security appliance places you in level 15. You can then create
enable passwords for every level, so that when you enter enable n (2 to 15), the security
appliance places you in level n. These levels are not used unless you turn on local command
authorization (see
"Configuring Local Command Authorization"
Appliance Command Reference for more information about enable.)
TACACS+ server privilege levels—On the TACACS+ server, configure the commands that a user or
group can use after they authenticate for CLI access. Every command that a user enters at the CLI
is checked with the TACACS+ server.
AAA settings are discrete per context, not shared between contexts.
When configuring command authorization, you must configure each security context separately.
This provides you the opportunity to enforce different command authorizations for different security
contexts.
When switching between security contexts, administrators should be aware that the commands
permitted for the username specified when they login may be different in the new context session or
that command authorization may not be configured at all in the new context. Failure to understand
that command authorizations may differ between security contexts could confuse an administrator.
This behavior is further complicated by the next point.
New context sessions started with the changeto command always use the default "enable_15"
username as the administrator identity, regardless of what username was used in the previous context
session. This behavior can lead to confusion if command authorization is not configured for the
enable_15 user or if authorizations are different for the enable_15 user than for the user in the
previous context session.
Configuring AAA for System Administrators
Cisco Security Appliance Command Line Configuration Guide
below). (See the Cisco Security
40-9
Advertisement
Table of Contents
Troubleshooting
