40-14
Cisco Security Appliance Command Line Configuration Guide
OL-10088-01
Chapter 40 Managing System Access
Configuring AAA for System Administrators
–
show pager
–
clear pager
–
quit
–
show version
Enabling TACACS+ Command Authorization
Before you enable TACACS+ command authorization, be sure that you are logged into the security
appliance as a user that is defined on the TACACS+ server, and that you have the necessary command
authorization to continue configuring the security appliance. For example, you should log in as an admin
user with all commands authorized. Otherwise, you could become unintentionally locked out.
To perform command authorization using a TACACS+ server, enter the following command:
hostname(config)# aaa authorization command tacacs+_server_group [LOCAL]
You can configure the security appliance to use the local database as a fallback method if the TACACS+
server is unavailable. To enable fallback, specify the server group name followed by LOCAL (LOCAL
is case sensitive). We recommend that you use the same username and password in the local database as
the TACACS+ server because the security appliance prompt does not give any indication which method
is being used. Be sure to configure users in the local database (see the “Configuring Command
Authorization” section on page 40-7) and command privilege levels (see the “Configuring Local
Command Authorization” section on page 40-7).
Configuring Command Accounting
You can send accounting messages to the TACACS+ accounting server when you enter any command
other than show commands at the CLI. If you customize the command privilege level using the privilege
command (see the “Assigning Privilege Levels to Commands and Enabling Authorization” section on
page 40-8), you can limit which commands the security appliance accounts for by specifying a minimum
privilege level. The security appliance does not account for commands that are below the minimum
privilege level.
To enable command accounting, enter the following command:
hostname(config)# aaa accounting command [privilege level] server-tag
Where level is the minimum privilege level and server-tag is the name of the TACACS+ server group
that to which the security appliance should send command accounting messages. The TACACS+ server
group configuration must already exist. For information about configuring a AAA server group, see the
“Identifying AAA Server Groups and Servers” section on page 13-12.
Viewing the Current Logged-In User
To view the current logged-in user, enter the following command:
hostname# show curpriv
See the following sample show curpriv command output. A description of each field follows.
hostname# show curpriv
Username : admin
Current privilege level : 15
Current Mode/s : P_PRIV
To Next Page
Loading...
Need help?
General