32-17
Cisco ASA 5500 Series Configuration Guide using ASDM
OL-20339-01
Chapter 32 Configuring Management Access
Configuring AAA for System Administrators
Assigning Privilege Levels to Commands and Enabling Authorization
This section assigns a command to a new privilege level, and enables authorization.
Detailed Steps
Step 1 To enable command authorization, go to Configuration > Device Management > Users/AAA > AAA
Access > Authorization, and check Enable authorization for command access > Enable.
Step 2 From the Server Group drop-down list, choose LOCAL.
Step 3 When you enable local command authorization, you have the option of manually assigning privilege
levels to individual commands or groups of commands or enabling the predefined user account
privileges.
• To use predefined user account privileges, click Set ASDM Defined User Roles.
The ASDM Defined User Roles Setup dialog box shows the commands and their levels. Click Yes
to use the predefined user account privileges: Admin (privilege level 15, with full access to all CLI
commands; Read Only (privilege level 5, with read-only access); and Monitor Only (privilege level
3, with access to the Monitoring section only).
• To manually configure command levels, click Configure Command Privileges.
The Command Privileges Setup dialog box appears. You can view all commands by choosing --All
Modes-- from the Command Mode drop-down list, or you can choose a configuration mode to view
the commands available in that mode. For example, if you choose context, you can view all
commands available in context configuration mode. If a command can be entered in user
EXEC/privileged EXEC mode as well as configuration mode, and the command performs different
actions in each mode, you can set the privilege level for these modes separately.
The Variant column displays show, clear, or cmd. You can set the privilege only for the show, clear,
or configure form of the command. The configure form of the command is typically the form that
causes a configuration change, either as the unmodified command (without the show or clear prefix)
or as the no form.
To change the level of a command, double-click it or click Edit. You can set the level between 0 and
15. You can only configure the privilege level of the main command. For example, you can configure
the level of all aaa commands, but not the level of the aaa authentication command and the
aaa authorization command separately.
To change the level of all shown commands, click Select All and then Edit.
Click OK to accept your changes.
Step 4 To support administrative user privilege levels from RADIUS, check Perform authorization for exec
shell access > Enable.
Without this option, the adaptive security appliance only supports privilege levels for local database
users and defaults all other types of users to level 15.
This option also enables management authorization for local, RADIUS, LDAP (mapped), and TACACS+
users. See the “Limiting User CLI and ASDM Access with Management Authorization” section on
page 32-12 for more information.
Step 5 Click Apply.
To Next Page
Loading...
