Filter
Top Products
16-22
Cisco ASDM User Guide
OL-16647-01
Chapter 16 Configuring Management Access
Configuring AAA for System Administrators
Limiting User CLI and ASDM Access with Management Authorization
If you configure CLI or enable authentication, you can limit a local user, RADIUS, TACACS+, or LDAP
user (if you map LDAP attributes to RADIUS attributes) from accessing the CLI, ASDM, or the enable
command.
Note Serial access is not included in management authorization, so if you enable the Authentication > Serial
option, then any user who authenticates can access the console port.
To configure management authorization, perform the following steps:
Step 1 To enable management authorization, go to Configuration > Device Management > Users/AAA > AAA
Access > Authorization, and check the Perform authorization for exec shell access > Enable check
box.
This option also enables support of administrative user privilege levels from RADIUS, which can be
used in conjunction with local command privilege levels for command authorization. See the
“Configuring Local Command Authorization” section on page 16-25 for more information.
Step 2 To configure the user for management authorization, see the following requirements for each AAA
server type or local user:
• RADIUS or LDAP (mapped) users—Configure the Service-Type attribute for one of the following
values.
• RADIUS or LDAP (mapped) users—Use the IETF RADIUS numeric Service-Type attribute which
maps to one of the following values.
–
Service-Type 6 (admin)—Allows full access to any services specified by the Authentication tab
options
–
Service-Type 7 (nas-prompt)—Allows access to the CLI when you configure the Telnet or SSH
authentication options, but denies ASDM configuration access if you configure the HTTP
option. ASDM monitoring access is allowed. If you configure enable authentication with the
Enable option, the user cannot access privileged EXEC mode using the enable command.
–
Service-Type 5 (remote-access)—Denies management access. The user cannot use any services
specified by the Authentication tab options (excluding the Serial option; serial access is
allowed). Remote-access (IPSec and SSL) users can still authenticate and terminate their
remote-access sessions.
• TACACS+ users—Authorization is requested with the “service=shell” and the server responds with
PASS or FAIL.
–
PASS, privilege level 1—Allows full access to any services specified by the Authentication tab
options.
–
PASS, privilege level 2 and higher—Allows access to the CLI when you configure the Telnet or
SSH authentication options, but denies ASDM configuration access if you configure the HTTP
option. ASDM monitoring access is allowed. If you configure enable authentication with the
Enable option, the user cannot access privileged EXEC mode using the enable command.
–
FAIL—Denies management access. The user cannot use any services specified by the
Authentication tab options (excluding the Serial option; serial access is allowed).