Support User Manuals

Cisco Systems OL-16647-01 Network Router User Manual

Open as PDF

of 1230

16-26

Cisco ASDM User Guide

OL-16647-01

Chapter 16 Configuring Management Access

Configuring AAA for System Administrators

–

LDAP users—Configure the user with a privilege level between 0 and 15, and then map the

LDAP attribute to Cisco VAS CVPN3000-Privilege-Level according to the “Configuring LDAP

Attribute Maps” section on page 14-22.

Default Command Privilege Levels

By default, the following commands are assigned to privilege level 0. All other commands are at

level 15.

• show checksum

• show curpriv

• enable

• help

• show history

• login

• logout

• pager

• show pager

• clear pager

• quit

• show version

If you move any configure mode commands to a lower level than 15, be sure to move the configure

command to that level as well, otherwise, the user will not be able to enter configuration mode.

Assigning Privilege Levels to Commands and Enabling Authorization

To assign a command to a new privilege level, and enable authorization, follow these steps:

Step 1 To enable command authorization, go to Configuration > Device Management > Users/AAA > AAA

Access > Authorization, and check Enable authorization for command access > Enable.

Step 2 From the Server Group drop-down list, choose LOCAL.

Step 3 When you enable local command authorization, you have the option of manually assigning privilege

levels to individual commands or groups of commands or enabling the predefined user account

privileges.

• To use predefined user account privileges, click Set ASDM Defined User Roles.

The ASDM Defined User Roles Setup dialog box shows the commands and their levels. Click Yes

to use the predefined user account privileges: Admin (privilege level 15, with full access to all CLI

commands; Read Only (privilege level 5, with read-only access); and Monitor Only (privilege level

3, with access to the Monitoring section only).

• To manually configure command levels, click Configure Command Privileges.

The Command Privileges Setup dialog box appears. You can view all commands by choosing --All

Modes-- from the Command Mode drop-down list, or you can choose a configuration mode to view

the commands available in that mode. For example, if you choose context, you can view all

commands available in context configuration mode. If a command can be entered in user

EXEC/privileged EXEC mode as well as configuration mode, and the command performs different

actions in each mode, you can set the privilege level for these modes separately.

previous next