beautypg.com

Configuring command authorization – Cisco ASA 5505 User Manual

Page 762

background image

37-22

Cisco ASA 5500 Series Configuration Guide using the CLI

Chapter 37 Configuring Management Access

Configuring AAA for System Administrators

Configuring Command Authorization

If you want to control access to commands, the ASA lets you configure command authorization, where
you can determine which commands that are available to a user. By default when you log in, you can
access user EXEC mode, which offers only minimal commands. When you enter the enable command
(or the login command when you use the local database), you can access privileged EXEC mode and
advanced commands, including configuration commands.

You can use one of two command authorization methods:

Local privilege levels

TACACS+ server privilege levels

Step 2

To configure the user for management authorization, see the following requirements for each AAA server type or
local user:

RADIUS or LDAP (mapped) users—Use the IETF RADIUS numeric Service-Type attribute, which maps to one
of the following values:

Service-Type 6 (Administrative)—Allows full access to any services specified by the aaa authentication
console
commands.

Service-Type 7 (NAS prompt)—Allows access to the CLI when you configure the aaa authentication
{telnet | ssh} console command, but denies ASDM configuration access if you configure the aaa
authentication http console
command. ASDM monitoring access is allowed. If you configure enable
authentication with the aaa authentication enable console command, the user cannot access privileged
EXEC mode using the enable command.

Service-Type 5 (Outbound)—Denies management access. The user cannot use any services specified by the
aaa authentication console commands (excluding the serial keyword; serial access is allowed). Remote
access (IPsec and SSL) users can still authenticate and terminate their remote access sessions.

Configure Cisco VSA CVPN3000-Privilege-Level with a value between 0 and 15. and then map the LDAP
attributes to Cisco VAS CVPN3000-Privilege-Level using the ldap map-attributes command. For more
information, see the

“Configuring LDAP Attribute Maps” section on page 35-18

.

TACACS+ users—Authorization is requested with “service=shell,” and the server responds with PASS or FAIL.

PASS, privilege level 1—Allows access to ASDM, with limited read-only access to the configuration and
monitoring sections, and access for show commands that are privilege level 1 only.

PASS, privilege level 2 and higher—Allows access to the CLI when you configure the aaa authentication
{telnet | ssh} console command, but denies ASDM configuration access if you configure the aaa
authentication http console
command. ASDM monitoring access is allowed. If you configure enable
authentication with the aaa authentication enable console command, the user cannot access privileged
EXEC mode using the enable command. You are not allowed to access privileged EXEC mode using the
enable command if your enable privilege level is set to 14 or less.

FAIL—Denies management access. You cannot use any services specified by the aaa authentication
console
commands (excluding the serial keyword; serial access is allowed).

Local users—Sets the service-type command. By default, the service-type is admin, which allows full access
to any services specified by the aaa authentication console command. Uses the username command to
configure local database users at a privilege level from 0 to 15. For more information, see the

“Adding a User

Account to the Local Database” section on page 35-20

.

Command

Purpose