Filter
Top Products
16-25
Cisco ASDM User Guide
OL-16647-01
Chapter 16 Configuring Management Access
Configuring AAA for System Administrators
command accounting records may not readily identify who was logged in as the enable_15
username. If you use different accounting servers for each context, tracking who was using the
enable_15 username requires correlating the data from several servers.
When configuring command authorization, consider the following:
–
An administrator with permission to use the changeto command effectively has permission to
use all commands permitted to the enable_15 user in each of the other contexts.
–
If you intend to authorize commands differently per context, ensure that in each context the
enable_15 username is denied use of commands that are also denied to administrators who are
permitted use of the changeto command.
When switching between security contexts, administrators can exit privileged EXEC mode and enter
the enable command again to use the username they need.
Note The system execution space does not support AAA commands; therefore, command authorization is not
available in the system execution space.
Configuring Local Command Authorization
Local command authorization lets you assign commands to one of 16 privilege levels (0 to 15). By
default, each command is assigned either to privilege level 0 or 15. You can define each user to be at a
specific privilege level, and each user can enter any command at their privilege level or below. The
security appliance supports user privilege levels defined in the local database, a RADIUS server, or an
LDAP server (if you map LDAP attributes to RADIUS attributes. See the “Configuring LDAP Attribute
Maps” section on page 14-22.)
This section includes the following topics:
• Local Command Authorization Prerequisites, page 16-25
• Default Command Privilege Levels, page 16-26
• Assigning Privilege Levels to Commands and Enabling Authorization, page 16-26
Local Command Authorization Prerequisites
Complete the following tasks as part of your command authorization configuration:
• Configure enable authentication. (See the “Configuring Authentication for CLI, ASDM, and enable
command Access” section on page 16-20.)
enable authentication is essential to maintain the username after the user accesses the enable
command.
Alternatively, you can use the login command (which is the same as the enable command with
authentication; for the local database only), which requires no configuration. We do not recommend
this option because it is not as secure as enable authentication.
You can also use CLI authentication, but it is not required.
• See the following prerequisites for each user type:
–
Local database users—Configure each user in the local database at a privilege level from 0 to 15.
To configure the local database, see the “AAA Server and Local Database Support” section on
page 14-3.
–
RADIUS users—Configure the user with Cisco VSA CVPN3000-Privilege-Level with a value
between 0 and 15.