Cisco Systems ASA 5525-X Network Router User Manual


  Open as PDF
of 2086
 
40-27
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 40 Configuring Management Access
Configuring AAA for System Administrators
show pager
clear pager
quit
show version
Configuring TACACS+ Command Authorization
If you enable TACACS+ command authorization, and a user enters a command at the CLI, the ASA
sends the command and username to the TACACS+ server to determine if the command is authorized.
Before you enable TACACS+ command authorization, be sure that you are logged into the ASA as a user
that is defined on the TACACS+ server, and that you have the necessary command authorization to
continue configuring the ASA. For example, you should log in as an admin user with all commands
authorized. Otherwise, you could become unintentionally locked out.
Do not save your configuration until you are sure that it works the way you want. If you get locked out
because of a mistake, you can usually recover access by restarting the ASA. If you still get locked out,
see the “Recovering from a Lockout” section on page 40-29.
Be sure that your TACACS+ system is completely stable and reliable. The necessary level of reliability
typically requires that you have a fully redundant TACACS+ server system and fully redundant
connectivity to the ASA. For example, in your TACACS+ server pool, include one server connected to
interface 1, and another to interface 2. You can also configure local command authorization as a fallback
method if the TACACS+ server is unavailable. In this case, you need to configure local users and
command privilege levels according to procedures listed in the “Configuring Command Authorization”
section on page 40-22.
To configure TACACS+ command authorization, perform the following steps:
Detailed Steps
Step 1 To perform command authorization using a TACACS+ server, choose Configuration > Device
Management > Users/AAA > AAA Access > Authorization, and check the Enable authorization for
command access > Enable check box.
Step 2 From the Server Group drop-down list, choose a AAA server group name.
Step 3 (Optional) you can configure the ASA to use the local database as a fallback method if the AAA server
is unavailable. To do so, check the Use LOCAL when server group fails check box. We recommend
that you use the same username and password in the local database as the AAA server, because the ASA
prompt does not give any indication which method is being used. Be sure to configure users in the local
database (see the “Adding a User Account to the Local Database” section on page 38-22) and command
privilege levels (see the “Configuring Local Command Authorization” section on page 40-22).
Step 4 Click Apply.
The command authorization settings are assigned, and the changes are saved to the running
configuration.