Cisco 7609-S Configuration Guide - Page 541
TACACS+ Command Authorization Prerequisites, Configuring Commands on the TACACS+ Server, enable
View all Cisco 7609-S manuals
Add to My Manuals
Save this manual to your list of manuals |
Page 541 highlights
Chapter 23 Configuring Management Access AAA for System Administrators When configuring command authorization with a TACACS+ server, do not save your configuration until you are sure it works the way you want. If you get locked out because of a mistake, you can usually recover access by restarting the FWSM. If you still get locked out, see the "Recovering from a Lockout" section on page 23-23. Be sure that your TACACS+ system is completely stable and reliable. The necessary level of reliability typically requires that you have a fully redundant TACACS+ server system and fully redundant connectivity to the FWSM. For example, in your TACACS+ server pool, include one server connected to interface 1, and another to interface 2. You can also configure local command authorization as a fallback method if the TACACS+ server is unavailable. In this case, you need to configure local users and command privilege levels according to the "Configuring Command Authorization" section on page 23-14. This section includes the following topics: • TACACS+ Command Authorization Prerequisites, page 23-19 • Configuring Commands on the TACACS+ Server, page 23-19 • Enabling TACACS+ Command Authorization, page 23-22 TACACS+ Command Authorization Prerequisites Complete the following tasks as part of your command authorization configuration: • Configure CLI authentication (see the "Configuring Authentication for CLI and ASDM Access" section on page 23-10). • Configure enable authentication (see the "Configuring Authentication to Access Privileged EXEC Mode" section on page 23-13). Configuring Commands on the TACACS+ Server You can configure commands on a Cisco Secure Access Control Server (ACS) as a shared profile component, for a group, or for individual users. For third-party TACACS+ servers, see your server documentation for more information about command authorization support. See the following guidelines for configuring commands in Cisco Secure ACS Version 3.1; many of these guidelines also apply to third-party servers: • The FWSM sends the commands to be authorized as "shell" commands, so configure the commands on the TACACS+ server as shell commands. Note Cisco Secure ACS might include a command type called "pix-shell." Do not use this type for FWSM command authorization. • The first word of the command is considered to be the main command. All additional words are considered to be arguments, which need to be preceded by permit or deny. For example, to allow the show running-configuration aaa-server command, add show running-configuration to the command field, and type permit aaa-server in the arguments field. • You can permit all arguments of a command that you do not explicitly deny by checking the Permit Unmatched Args check box. For example, you can configure just the show command, and then all the show commands are allowed. We recommend using this method so that you do not have to anticipate every variant of a command, including abbreviations and the question mark, which shows CLI usage (see Figure 23-1). OL-20748-01 Catalyst 6500 Series Switch and Cisco 7600 Series Router Firewall Services Module Configuration Guide using ASDM 23-19