Cisco ASA Series Cli Configuration Manual page 1024

Configuring AAA for System Administrators
Configuring TACACS+ Command Authorization
If you enable TACACS+ command authorization, and a user enters a command at the CLI, the ASA
sends the command and username to the TACACS+ server to determine if the command is authorized.
Before you enable TACACS+ command authorization, be sure that you are logged into the ASA as a user
that is defined on the TACACS+ server, and that you have the necessary command authorization to
continue configuring the ASA. For example, you should log in as an admin user with all commands
authorized. Otherwise, you could become unintentionally locked out.
Do not save your configuration until you are sure that it works the way you want. If you get locked out
because of a mistake, you can usually recover access by restarting the ASA. If you still get locked out,
see the
Be sure that your TACACS+ system is completely stable and reliable. The necessary level of reliability
typically requires that you have a fully redundant TACACS+ server system and fully redundant
connectivity to the ASA. For example, in your TACACS+ server pool, include one server connected to
interface 1, and another to interface 2. You can also configure local command authorization as a fallback
method if the TACACS+ server is unavailable. In this case, you need to configure local users and
command privilege levels according to procedures listed in the
section on page
To configure TACACS+ command authorization, enter the following command:
Detailed Steps
Command
aaa authorization command
tacacs+_server_group [LOCAL]
Example:
hostname(config)# aaa authorization
command group_1 LOCAL
Configuring Management Access Accounting
You can send accounting messages to the TACACS+ accounting server when you enter any command
other than show commands at the CLI. You can configure accounting when users log in, when they enter
the enable command, or when they issue commands.
For command accounting, you can only use TACACS+ servers.
Cisco ASA Series CLI Configuration Guide
1-30
–
show pager
–
clear pager
–
quit
–
show version
"Recovering from a Lockout" section on page
1-24.
Purpose
Performs command authorization using a TACACS+ server.
You can configure the ASA to use the local database as a fallback method
if the TACACS+ server is unavailable. To enable fallback, specify the
server group name followed by LOCAL (LOCAL is case sensitive). We
recommend that you use the same username and password in the local
database as the TACACS+ server because the ASA prompt does not give
any indication which method is being used. Be sure to configure users in
the local database (see the
section on page
Local Command Authorization" section on page
Chapter 1
1-32.
"Configuring Command Authorization"
"Adding a User Account to the Local Database"
1-22) and command privilege levels (see the
Configuring Management Access
"Configuring
1-24).