Cisco 7604 Configuration Guide - Page 536
Configuring Command Authorization, Command Authorization Overview
View all Cisco 7604 manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 536 highlights
AAA for System Administrators Chapter 23 Configuring Management Access Caution If you add users to the local database who can gain access to the CLI and whom you do not want to enter privileged EXEC mode, you should configure command authorization. Without command authorization, users can access privileged EXEC mode (and all commands) at the CLI using their own password if their privilege level is 2 or greater (2 is the default). Alternatively, you can use RADIUS or TACACS+ authentication, or you can set all local users to level 1 so you can control who can use the system enable password to access privileged EXEC mode. To log in as a user from the local database, enter the following command: hostname> login The FWSM prompts for your username and password. After you enter your password, the FWSM places you in the privilege level that the local database specifies. You can only enter the login command in user EXEC mode. If you are in privileged EXEC mode, enter the disable command to return to user EXEC mode. Configuring Command Authorization By default when you log in, you can access user EXEC mode, which offers only minimal commands. When you enter the enable command (or the login command when you use the local database), you can access privileged EXEC mode and advanced commands, including configuration commands. If you want to control the access to commands, the FWSM lets you configure command authorization, where you can determine which commands are available to a user. This section includes the following topics: • Command Authorization Overview, page 23-14 • Configuring Local Command Authorization, page 23-15 • Configuring TACACS+ Command Authorization, page 23-18 Command Authorization Overview You can use one of two command authorization methods: • Local database-Configure the command privilege levels on the FWSM. When a local user authenticates with the enable command (or logs in with the login command), the FWSM places that user in the privilege level that is defined by the local database. The user can then access commands at the user privilege level and below. You can use local command authorization without any users in the local database and without CLI or enable authentication. To do so, when you enter the enable command, use the system enable password, and the FWSM places you in level 15 as the default "enable_15" username. You can create enable passwords for every level, so that when you enter enable n (2 to 15), the FWSM places you in level n. These levels are not used unless you turn on local command authorization (see "Configuring Local Command Authorization"). (See the Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Command Reference for more information about the enable command.) • TACACS+ server-On the TACACS+ server, configure the commands that a user or group can use after they authenticate for CLI access. Every command that a user enters at the CLI is checked with the TACACS+ server. 23-14 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM OL-20748-01