Configuring Command Accounting; Viewing The Current Logged-In User - Cisco PIX 500 Series Configuration Manual
Security appliance command line
Hide thumbs
Also See for PIX 500 Series:
- Administration manual (653 pages) ,
- Quick start manual (72 pages) ,
- User manual (60 pages)
Table of Contents
Advertisement
Chapter 40
Managing System Access
Enabling TACACS+ Command Authorization
Before you enable TACACS+ command authorization, be sure that you are logged into the security
appliance as a user that is defined on the TACACS+ server, and that you have the necessary command
authorization to continue configuring the security appliance. For example, you should log in as an admin
user with all commands authorized. Otherwise, you could become unintentionally locked out.
To perform command authorization using a TACACS+ server, enter the following command:
hostname(config)# aaa authorization command tacacs+_server_group [LOCAL]
You can configure the security appliance to use the local database as a fallback method if the TACACS+
server is unavailable. To enable fallback, specify the server group name followed by LOCAL (LOCAL
is case sensitive). We recommend that you use the same username and password in the local database as
the TACACS+ server because the security appliance prompt does not give any indication which method
is being used. Be sure to configure users in the local database (see the
Authorization" section on page
Command Authorization" section on page
Configuring Command Accounting
You can send accounting messages to the TACACS+ accounting server when you enter any command
other than show commands at the CLI. If you customize the command privilege level using the privilege
command (see the
page
minimum privilege level. The security appliance does not account for commands that are below the
minimum privilege level.
To enable command accounting, enter the following command:
hostname(config)# aaa accounting command [privilege level ] server-tag
Where level is the minimum privilege level and server-tag is the name of the TACACS+ server group
that to which the security appliance should send command accounting messages. The TACACS+ server
group configuration must already exist. For information about configuring a AAA server group, see the
"Identifying AAA Server Groups and Servers" section on page
Viewing the Current Logged-In User
To view the current logged-in user, enter the following command:
hostname# show curpriv
See the following sample show curpriv command output. A description of each field follows.
hostname# show curpriv
Username : admin
Current privilege level : 15
Current Mode/s : P_PRIV
OL-12172-03
show pager
–
clear pager
–
quit
–
show version
–
"Assigning Privilege Levels to Commands and Enabling Authorization" section on
40-11), you can limit which commands the security appliance accounts for by specifying a
40-8) and command privilege levels (see the
40-10).
Cisco Security Appliance Command Line Configuration Guide
Configuring AAA for System Administrators
"Configuring Command
"Configuring Local
13-9.
40-17
Advertisement
Table of Contents
Troubleshooting
