Cisco ASA Series Cli Configuration Manual page 1017
Software version 9.0 for the services module
Hide thumbs
Also See for ASA Series:
- Configuration manual (429 pages) ,
- Getting started (31 pages) ,
- Mount and connect (12 pages)
Table of Contents
Advertisement
Chapter 1
Configuring Management Access
Detailed Steps
Command
Step 1
aaa authorization exec
authentication-server
Example:
hostname(config)# aaa authorization exec
authentication-server
Step 2
To configure the user for management authorization, see the following requirements for each AAA server type or
local user:
•
RADIUS or LDAP (mapped) users—Use the IETF RADIUS numeric Service-Type attribute, which maps to one
of the following values:
–
Service-Type 6 (Administrative)—Allows full access to any services specified by the aaa authentication
console commands.
–
Service-Type 7 (NAS prompt)—Allows access to the CLI when you configure the aaa authentication
{telnet | ssh} console command, but denies ASDM configuration access if you configure the aaa
authentication http console command. ASDM monitoring access is allowed. If you configure enable
authentication with the aaa authentication enable console command, the user cannot access privileged
EXEC mode using the enable command.
–
Service-Type 5 (Outbound)—Denies management access. The user cannot use any services specified by the
aaa authentication console commands (excluding the serial keyword; serial access is allowed). Remote
access (IPsec and SSL) users can still authenticate and terminate their remote access sessions.
Configure Cisco VSA CVPN3000-Privilege-Level with a value between 0 and 15. and then map the LDAP
attributes to Cisco VAS CVPN3000-Privilege-Level using the ldap map-attributes command. For more
information, see the
•
TACACS+ users—Authorization is requested with "service=shell," and the server responds with PASS or FAIL.
–
PASS, privilege level 1—Allows access to ASDM, with limited read-only access to the configuration and
monitoring sections, and access for show commands that are privilege level 1 only.
–
PASS, privilege level 2 and higher—Allows access to the CLI when you configure the aaa authentication
{telnet | ssh} console command, but denies ASDM configuration access if you configure the aaa
authentication http console command. ASDM monitoring access is allowed. If you configure enable
authentication with the aaa authentication enable console command, the user cannot access privileged
EXEC mode using the enable command. You are not allowed to access privileged EXEC mode using the
enable command if your enable privilege level is set to 14 or less.
–
FAIL—Denies management access. You cannot use any services specified by the aaa authentication
console commands (excluding the serial keyword; serial access is allowed).
•
Local users—Sets the service-type command. By default, the service-type is admin, which allows full access
to any services specified by the aaa authentication console command. Uses the username command to
configure local database users at a privilege level from 0 to 15. For more information, see the
Account to the Local Database" section on page
Purpose
Enables management authorization for local, RADIUS, LDAP
(mapped), and TACACS+ users. Also enables support of
administrative user privilege levels from RADIUS, which can be
used in conjunction with local command privilege levels for
command authorization. See the
Authorization" section on page 1-24
the aaa authorization exec LOCAL command to enable
attributes to be taken from the local database.
"Configuring LDAP Attribute Maps" section on page
Configuring AAA for System Administrators
1-20.
1-22.
Cisco ASA Series CLI Configuration Guide
"Configuring Local Command
for more information. Use
"Adding a User
1-23
Hide quick links:
Advertisement
Chapters
Table of Contents
Troubleshooting
