Filter
Top Products
16-23
Cisco ASDM User Guide
OL-16647-01
Chapter 16 Configuring Management Access
Configuring AAA for System Administrators
• Local users—Configure the Access Restriction option. See “Add/Edit User Account > Identity”. By
default, the access restriction is Full Access, which allows full access to any services specified by
the Authentication tab options.
Configuring Command Authorization
If you want to control the access to commands, the security appliance lets you configure command
authorization, where you can determine which commands that are available to a user. By default when
you log in, you can access user EXEC mode, which offers only minimal commands. When you enter the
enable command (or the login command when you use the local database), you can access privileged
EXEC mode and advanced commands, including configuration commands.
This section includes the following topics:
• Command Authorization Overview, page 16-23
• Configuring Local Command Authorization, page 16-25
• Configuring TACACS+ Command Authorization, page 16-27
Command Authorization Overview
This section describes command authorization, and includes the following topics:
• Supported Command Authorization Methods, page 16-23
• About Preserving User Credentials, page 16-24
• Security Contexts and Command Authorization, page 16-24
Supported Command Authorization Methods
You can use one of two command authorization methods:
• Local privilege levels—Configure the command privilege levels on the security appliance. When a
local, RADIUS, or LDAP (if you map LDAP attributes to RADIUS attributes) user authenticates for
CLI access, the security appliance places that user in the privilege level that is defined by the local
database, RADIUS, or LDAP server. The user can access commands at the user’s privilege level and
below. Note that all users access user EXEC mode when they first log in (commands at level 0 or 1).
The user needs to authenticate again with the enable command to access privileged EXEC mode
(commands at level 2 or higher), or they can log in with the login command (local database only).
Note You can use local command authorization without any users in the local database and without
CLI or enable authentication. Instead, when you enter the enable command, you enter the
system enable password, and the security appliance places you in level 15. You can then create
enable passwords for every level, so that when you enter enable n (2 to 15), the security
appliance places you in level n. These levels are not used unless you turn on local command
authorization (see
“Configuring Local Command Authorization” below). (See the Cisco Security
Appliance Command Reference for more information about enable.)
• TACACS+ server privilege levels—On the TACACS+ server, configure the commands that a user or
group can use after they authenticate for CLI access. Every command that a user enters at the CLI
is checked with the TACACS+ server.