Configuring Local Command Authorization - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Configuring AAA for System Administrators
The system execution space does not support AAA commands; therefore, command authorization is not
Note
available in the system execution space.
Configuring Local Command Authorization
Local command authorization lets you assign commands to one of 16 privilege levels (0 to 15). By
default, each command is assigned either to privilege level 0 or 15. You can define each user to be at a
specific privilege level, and each user can enter any command at their privilege level or below. The
security appliance supports user privilege levels defined in the local database, a RADIUS server, or an
LDAP server (if you map LDAP attributes to RADIUS attributes. See the
section on page
This section includes the following topics:
•
•
•
•
Local Command Authorization Prerequisites
Complete the following tasks as part of your command authorization configuration:
•
•
Cisco Security Appliance Command Line Configuration Guide
40-10
This behavior also affects command accounting, which is useful only if you can accurately associate
each command that is issued with a particular administrator. Because all administrators with
permission to use the changeto command can use the enable_15 username in other contexts,
command accounting records may not readily identify who was logged in as the enable_15
username. If you use different accounting servers for each context, tracking who was using the
enable_15 username requires correlating the data from several servers.
When configuring command authorization, consider the following:
An administrator with permission to use the changeto command effectively has permission to
–
use all commands permitted to the enable_15 user in each of the other contexts.
If you intend to authorize commands differently per context, ensure that in each context the
–
enable_15 username is denied use of commands that are also denied to administrators who are
permitted use of the changeto command.
When switching between security contexts, administrators can exit privileged EXEC mode and enter
the enable command again to use the username they need.
13-14.)
Local Command Authorization Prerequisites, page 40-10
Default Command Privilege Levels, page 40-11
Assigning Privilege Levels to Commands and Enabling Authorization, page 40-11
Viewing Command Privilege Levels, page 40-13
Configure enable authentication. (See the
Mode (the enable Command)" section on page
enable authentication is essential to maintain the username after the user accesses the enable
command.
Alternatively, you can use the login command (which is the same as the enable command with
authentication; for the local database only), which requires no configuration. We do not recommend
this option because it is not as secure as enable authentication.
You can also use CLI authentication, but it is not required.
See the following prerequisites for each user type:
–
Local database users—Configure each user in the local database at a privilege level from 0 to 15.
Chapter 40
"Configuring Authentication To Access Privileged EXEC
40-6.)
Managing System Access
"LDAP Attribute Mapping"
OL-12172-03
Advertisement
Table of Contents
Troubleshooting
