1-23
Cisco ASA Series CLI Configuration Guide
Chapter 1 Configuring Management Access
Configuring AAA for System Administrators
Detailed Steps
Command Purpose
Step 1
aaa authorization exec
authentication-server
Example:
hostname(config)# aaa authorization exec
authentication-server
Enables management authorization for local, RADIUS, LDAP
(mapped), and TACACS+ users. Also enables support of
administrative user privilege levels from RADIUS, which can be
used in conjunction with local command privilege levels for
command authorization. See the “Configuring Local Command
Authorization” section on page 1-24 for more information. Use
the aaa authorization exec LOCAL command to enable
attributes to be taken from the local database.
Step 2
To configure the user for management authorization, see the following requirements for each AAA server type or
local user:
• RADIUS or LDAP (mapped) users—Use the IETF RADIUS numeric Service-Type attribute, which maps to one
of the following values:
–
Service-Type 6 (Administrative)—Allows full access to any services specified by the aaa authentication
console commands.
–
Service-Type 7 (NAS prompt)—Allows access to the CLI when you configure the aaa authentication
{telnet | ssh} console command, but denies ASDM configuration access if you configure the aaa
authentication http console command. ASDM monitoring access is allowed. If you configure enable
authentication with the aaa authentication enable console command, the user cannot access privileged
EXEC mode using the enable command.
–
Service-Type 5 (Outbound)—Denies management access. The user cannot use any services specified by the
aaa authentication console commands (excluding the serial keyword; serial access is allowed). Remote
access (IPsec and SSL) users can still authenticate and terminate their remote access sessions.
Configure Cisco VSA CVPN3000-Privilege-Level with a value between 0 and 15. and then map the LDAP
attributes to Cisco VAS CVPN3000-Privilege-Level using the ldap map-attributes command. For more
information, see the “Configuring LDAP Attribute Maps” section on page 1-20.
• TACACS+ users—Authorization is requested with “service=shell,” and the server responds with PASS or FAIL.
–
PASS, privilege level 1—Allows access to ASDM, with limited read-only access to the configuration and
monitoring sections, and access for show commands that are privilege level 1 only.
–
PASS, privilege level 2 and higher—Allows access to the CLI when you configure the aaa authentication
{telnet | ssh} console command, but denies ASDM configuration access if you configure the aaa
authentication http console command. ASDM monitoring access is allowed. If you configure enable
authentication with the aaa authentication enable console command, the user cannot access privileged
EXEC mode using the enable command. You are not allowed to access privileged EXEC mode using the
enable command if your enable privilege level is set to 14 or less.
–
FAIL—Denies management access. You cannot use any services specified by the aaa authentication
console commands (excluding the serial keyword; serial access is allowed).
• Local users—Sets the service-type command. By default, the service-type is admin, which allows full access
to any services specified by the aaa authentication console command. Uses the username command to
configure local database users at a privilege level from 0 to 15. For more information, see the “Adding a User
Account to the Local Database” section on page 1-22.
To Next Page
Loading...
Need help?
General
