37-24
Cisco ASA 5500 Series Configuration Guide using the CLI
Chapter37 Configuring Management Access
Configuring AAA for System Administrators
To configure local command authorization, perform the following steps:
Detailed Steps
Command Purpose
Step1 privilege [show |clear |cmd] level level
[mode {enable |cmd}] command command
Example:
hostname(config)# privilege show level 5
command filter
Assigns a command to a privilege level.
Repeat this command for each command that you want to
reassign.
The options in this command are the following:
show | clear | cmd—These optional keywords let you set the
privilege only for the show, clear, or configure form of the
command. The configure form of the command is typically
the form that causes a configuration change, either as the
unmodified command (without the show or clear prefix) or as
the no form. If you do not use one of these keywords, all
forms of the command are affected.
level level—A level between 0 and 15.
mode {enable | configure}—If a command can be entered in
user EXEC or privileged EXEC mode as well as
configuration mode, and the command performs different
actions in each mode, you can set the privilege level for these
modes separately:
enable—Specifies both user EXEC mode and privileged
EXEC mode.
configure—Specifies configuration mode, accessed
using the configure terminal command.
command command—The command you are configuring.
You can only configure the privilege level of the main
command. For example, you can configure the level of all aaa
commands, but not the level of the aaaauthentication
command and the aaa authorization command separately.
Step2 aaa authorization exec
authentication-server
Example:
hostname(config)# aaa authorization exec
authentication-server
Supports administrative user privilege levels from RADIUS.
Enforces user-specific access levels for users who authenticate for
management access (see the aaa authentication console LOCAL
command).
Without this command, the ASA only supports privilege levels for
local database users and defaults all other types of users to level
15.
This command also enables management authorization for local,
RADIUS, LDAP (mapped), and TACACS+ users.
Use the aaa authorization exec LOCAL command to enable
attributes to be taken from the local database. See the “Limiting
User CLI and ASDM Access with Management Authorization”
section on page 37-21 for information about configuring a user on
a AAA server to accommodate management authorization.