Configuring Local Command Authorization - Cisco 7604 Configuration Manual
Catalyst 6500 series switch and cisco 7600 series router firewall services module configuration guide using the cli
Hide thumbs
Also See for 7604:
- Configuration manual (1011 pages) ,
- Installation manual (324 pages) ,
- User manual (98 pages)
Table of Contents
Advertisement
Chapter 23
Configuring Management Access
Security Contexts and Command Authorization
The following are important points to consider when implementing command authorization with
multiple security contexts:
•
•
The system execution space does not support AAA commands; therefore, command authorization is not
Note
available in the system execution space.
Configuring Local Command Authorization
Local command authorization places each user at a privilege level, and each user can enter any command
at their privilege level or below. The FWSM lets you assign commands to one of 16 privilege levels (0
to 15). By default, each command is assigned either to privilege level 0 or 15.
This section includes the following topics:
•
•
•
•
Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM
OL-20748-01
AAA settings are discrete per context, not shared between contexts.
When configuring command authorization, you must configure each security context separately.
This provides you the opportunity to enforce different command authorizations for different security
contexts.
When switching between security contexts, administrators should be aware that the commands
permitted for the username specified when they login may be different in the new context session or
that command authorization may not be configured at all in the new context. Failure to understand
that command authorizations may differ between security contexts could confuse an administrator.
This behavior is further complicated by the next point.
New context sessions started with the changeto command always use the default "enable_15"
username as the administrator identity, regardless of what username was used in the previous context
session. This behavior can lead to confusion if command authorization is not configured for the
enable_15 user or if authorizations are different for the enable_15 user than for the user in the
previous context session.
This behavior also affects command accounting, which is useful only if you can accurately associate
each command that is issued with a particular administrator. Because all administrators with
permission to use the changeto command can use the enable_15 username in other contexts,
command accounting records may not readily identify who was logged in as the enable_15
username. If you use different accounting servers for each context, tracking who was using the
enable_15 username requires correlating the data from several servers.
When configuring command authorization, consider the following:
An administrator with permission to use the changeto command effectively has permission to
–
use all commands permitted to the enable_15 user in each of the other contexts.
–
If you intend to authorize commands differently per context, ensure that in each context the
enable_15 username is denied use of commands that are also denied to administrators who are
permitted use of the changeto command.
When switching between security contexts, administrators can exit privileged EXEC mode and enter
the enable command again to use the username they need.
Local Command Authorization Prerequisites, page 23-16
Default Command Privilege Levels, page 23-16
Assigning Privilege Levels to Commands and Enabling Authorization, page 23-16
Viewing Command Privilege Levels, page 23-18
AAA for System Administrators
23-15
- Quick Links:
- C H a P T E...
Hide quick links:
Advertisement
Table of Contents
Troubleshooting
