Configuring Command Authorization; Command Authorization Overview - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
AAA for System Administrators
If you add users to the local database who can gain access to the CLI and whom you do not want to enter
Caution
privileged EXEC mode, you should configure command authorization. Without command authorization,
users can access privileged EXEC mode (and all commands) at the CLI using their own password if their
privilege level is 2 or greater (2 is the default). Alternatively, you can use RADIUS or TACACS+
authentication, or you can set all local users to level 1 so you can control who can use the system enable
password to access privileged EXEC mode.
To log in as a user from the local database, enter the following command:
hostname> login
The FWSM prompts for your username and password. After you enter your password, the FWSM places
you in the privilege level that the local database specifies. You can only enter the login command in user
EXEC mode. If you are in privileged EXEC mode, enter the disable command to return to user EXEC
mode.
Configuring Command Authorization
By default when you log in, you can access user EXEC mode, which offers only minimal commands.
When you enter the enable command (or the login command when you use the local database), you can
access privileged EXEC mode and advanced commands, including configuration commands. If you want
to control the access to commands, the FWSM lets you configure command authorization, where you
can determine which commands are available to a user.
This section includes the following topics:
•
•
•
Command Authorization Overview
You can use one of two command authorization methods:
•
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
23-14
Command Authorization Overview, page 23-14
Configuring Local Command Authorization, page 23-15
Configuring TACACS+ Command Authorization, page 23-18
Local database—Configure the command privilege levels on the FWSM. When a local user
authenticates with the enable command (or logs in with the login command), the FWSM places that
user in the privilege level that is defined by the local database. The user can then access commands
at the user privilege level and below.
You can use local command authorization without any users in the local database and without CLI
or enable authentication. To do so, when you enter the enable command, use the system enable
password, and the FWSM places you in level 15 as the default "enable_15" username. You can
create enable passwords for every level, so that when you enter enable n (2 to 15), the FWSM places
you in level n. These levels are not used unless you turn on local command authorization (see
"Configuring Local Command
7600 Series Router Firewall Services Module Command Reference for more information about the
enable command.)
TACACS+ server—On the TACACS+ server, configure the commands that a user or group can use
after they authenticate for CLI access. Every command that a user enters at the CLI is checked with
the TACACS+ server.
Authorization"). (See the Catalyst 6500 Series Switch and Cisco
Chapter 23
Configuring Management Access
OL-20748-01
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
