40-7
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 40 Managing System Access
Configuring AAA for System Administrators
Configuring Command Authorization
By default when you log in, you can access user EXEC mode, which offers only minimal commands.
When you enter the enable command (or the login command when you use the local database), you can
access privileged EXEC mode and advanced commands, including configuration commands. If you want
to control the access to commands, the security appliance lets you configure command authorization,
where you can determine which commands that are available to a user.
This section includes the following topics:
• Command Authorization Overview, page 40-7
• Configuring Local Command Authorization, page 40-7
• Configuring TACACS+ Command Authorization, page 40-10
Command Authorization Overview
You can use one of two command authorization methods:
• Local database—Configure the command privilege levels on the security appliance. When a local
user authenticates with the enable command (or logs in with the login command), the security
appliance places that user in the privilege level that is defined by the local database. The user can
then access commands at the user’s privilege level and below.
Note You can use local command authorization without any users in the local database and without
CLI or enable authentication. Instead, when you enter the enable command, you enter the
system enable password, and the security appliance places you in level 15. You can then create
enable passwords for every level, so that when you enter enable n (2 to 15), the security
appliance places you in level n. These levels are not used unless you turn on local command
authorization (see “Configuring Local Command Authorization” below). (See the Cisco Security
Appliance Command Reference for more information about enable.)
• TACACS+ server—On the TACACS+ server, configure the commands that a user or group can use
after they authenticate for CLI access. Every command that a user enters at the CLI is checked with
the TACACS+ server.
Configuring Local Command Authorization
Local command authorization places each user at a privilege level, and each user can enter any command
at their privilege level or below. The security appliance lets you assign commands to one of 16 privilege
levels (0 to 15). By default, each command is assigned either to privilege level 0 or 15.
This section includes the following topics:
• Local Command Authorization Prerequisites, page 40-8
• Default Command Privilege Levels, page 40-8
• Assigning Privilege Levels to Commands and Enabling Authorization, page 40-8
• Viewing Command Privilege Levels, page 40-10
To Next Page
Loading...
Need help?
General