Filter
Top Products
40-22
Cisco ASA 5500 Series Configuration Guide using ASDM
Chapter 40 Configuring Management Access
Configuring AAA for System Administrators
• Local users—Configure the Access Restriction option. By default, the access restriction is Full
Access, which allows full access to any services specified by the Authentication tab options. For
more information, see the “Adding a User Account to the Local Database” section on page 38-22.
Configuring Command Authorization
If you want to control access to commands, the ASA lets you configure command authorization, where
you can determine which commands that are available to a user. By default when you log in, you can
access user EXEC mode, which offers only minimal commands. When you enter the enable command
(or the login command when you use the local database), you can access privileged EXEC mode and
advanced commands, including configuration commands.
You can use one of two command authorization methods:
• Local privilege levels
• TACACS+ server privilege levels
For more information about command authorization, see the “Information About Command
Authorization” section on page 40-16.
This section includes the following topics:
• Configuring Local Command Authorization, page 40-22
• Viewing Local Command Privilege Levels, page 40-23
• Configuring Commands on the TACACS+ Server, page 40-24
• Configuring TACACS+ Command Authorization, page 40-27
Configuring Local Command Authorization
Local command authorization lets you assign commands to one of 16 privilege levels (0 to 15). By
default, each command is assigned either to privilege level 0 or 15. You can define each user to be at a
specific privilege level, and each user can enter any command at the assigned privilege level or below.
The ASA supports user privilege levels defined in the local database, a RADIUS server, or an LDAP
server (if you map LDAP attributes to RADIUS attributes. See the “Using Certificates and User Login
Credentials” section on page 38-8.)
To configure local command authorization, perform the following steps:
Detailed Steps
Step 1 To enable command authorization, choose Configuration > Device Management > Users/AAA > AAA
Access > Authorization, and check the Enable authorization for command access > Enable check
box.
Step 2 From the Server Group drop-down list, choose LOCAL.
Step 3 When you enable local command authorization, you have the option of manually assigning privilege
levels to individual commands or groups of commands or enabling the predefined user account
privileges.
• To use predefined user account privileges, click Set ASDM Defined User Roles.