32-13
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 32 Configuring Management Access
Configuring AAA for System Administrators
–
Service-Type 7 (NAS prompt)—Allows access to the CLI when you configure the Telnet or SSH
authentication options, but denies ASDM configuration access if you configure the HTTP
option. ASDM monitoring access is allowed. If you configure enable authentication with the
Enable option, the user cannot access privileged EXEC mode using the enable command.
–
Service-Type 5 (Outbound)—Denies management access. The user cannot use any services
specified by the Authentication tab options (excluding the Serial option; serial access is
allowed). Remote-access (IPSec and SSL) users can still authenticate and terminate their
remote-access sessions.
• TACACS+ users—Authorization is requested with the “service=shell” and the server responds with
PASS or FAIL.
–
PASS, privilege level 1—Allows full access to any services specified by the Authentication tab
options.
–
PASS, privilege level 2 and higher—Allows access to the CLI when you configure the Telnet or
SSH authentication options, but denies ASDM configuration access if you configure the HTTP
option. ASDM monitoring access is allowed. If you configure enable authentication with the
Enable option, the user cannot access privileged EXEC mode using the enable command.
–
FAIL—Denies management access. The user cannot use any services specified by the
Authentication tab options (excluding the Serial option; serial access is allowed).
• Local users—Configure the Access Restriction option. See the “Adding a User Account” section on
page 31-18. By default, the access restriction is Full Access, which allows full access to any services
specified by the Authentication tab options.
Configuring Command Authorization
If you want to control the access to commands, the adaptive security appliance lets you configure
command authorization, where you can determine which commands that are available to a user. By
default when you log in, you can access user EXEC mode, which offers only minimal commands. When
you enter the enable command (or the login command when you use the local database), you can access
privileged EXEC mode and advanced commands, including configuration commands.
This section includes the following topics:
• Command Authorization Overview, page 32-13
• Configuring Local Command Authorization, page 32-15
• Configuring TACACS+ Command Authorization, page 32-18
Command Authorization Overview
This section describes command authorization and includes the following topics:
• Supported Command Authorization Methods, page 32-14
• About Preserving User Credentials, page 32-14
• Security Contexts and Command Authorization, page 32-15
To Next Page
Loading...
Need help?
General
